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Scope and Course Objective 


¢ Gain insight and skills to manage Ethernet and Token 
Ring LANs and learn troubleshooting techniques 


¢ Study the details of the Ethernet (802.3) and Token 
Ring (802.5) specification 


¢ Practical hands-on troubleshooting methods using the 
Network General Corporation Sniffer Network 
Analyzer 


¢ Assumes basic LAN knowledge and experience using 
the 4.x Sniffer Analyzer 


Pre-requisite: Network Troubleshooting: From Symptom to Solution (TC101C) 
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Major Topics 
Ethernet Physical Layer 
° Ethernet Data Link Layer 
Token Ring Principles 
Source Routing 
° Logical Link Control (LLC) 


Upper Layer Protocol Analysis/Decode 
— TCP/IP 
— Novell NetWare 
— Banyan VINES 
— SMB 
— NetBios 
— AppleTalk 
— SNA 
— DECnet 
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IEEE 802 Standards 


802.1 — Describes the relationship among the lower layer protocols, their relationship to 
the OSI reference model, network management issues, and internetworking issues, 
including the bridge spanning tree algorithm and a draft source routing transparent 

bridge standard. 


802.2 — Logical Link Control (LLC) describes peer-to-peer procedures Data 
for the transfer of information and control between any pair of Link 
Service Access Points on any 802.X LAN. Layer 
802.3 — 802.4 — 802.5 — 802.6 — 
A bus using A bus A ring Metropolitan 
Carrier using using Ag 
Sense Token Token i : 
Multiple Passing as Passing as Heian Phy sical 
Access/ the access the access Breen Layer 


method and 


Collision method. method. 
Detection as 


physical 
the access 


1 
method. ae 


specification 
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Ethernet Evolution 


1972 1980 1982 1985 1990 1990- > 
Work on V1 Ethernet V2 Ethernet IEEE 802.3 10BASE-T. The aominer 
Ethernet begins Spec completed Spec released heterogeneous open 
at Xerox PARC by DEC, Intel system protocol 

and Xerox 
Design Goals: 


1. Definition simplicity 

2. Efficient use of shared resources 

3. Ease of reconfiguration and maintenance 
4. Compatibility 

5. Low cost 
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Token Ring Evolution 


R ex VIIA 


IBM presents TEEE 802.5 ; IBM ; TBM announces 16 


architecture at announces Mbps Token Ring Token King = 
IEEE meeting Token Ring for and support for well established 
PCs Front End and supported by 
Processors and 100s of vendors 
minicomputers 
Design Goals: 


1. Use of field-proven technology 

2. Ease of reconfiguration and maintenance 
3. Efficient use of shared resources 

4. Make it a standard 

5. Superior throughput under heavy loads 
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Summary of Ethernet Features 


e Extremely popular 


e Uses Carrier Sense Multiple Access/Collision 
Detection (CSMA/CD) for its media access control 


e Bus or star topology 

e Variable size frames 

¢ Best effort delivery 

e Digital, baseband signaling with Manchester encoding 
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Summary of Token Ring Features 


e Extremely popular 
¢ Uses a token passing access method 
e Star topology 
e Variable size frames 
¢ Best effort delivery 
e Digital, baseband signaling with 
Differential Manchester encoding 
e Maximum frame size 
— 4Mb= 4450 bytes 
— 16Mb=17800 bytes 


e Minimum frame size 
— 24bytes (less data ) 
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Digital Signal Encoding 


TTL 
Manchester 
Differential 
Manchester 
| Bit Cell Bit Cell Bit Cell Bit Cell Bit Cell . Bit Cell 
¢ TTL is used on circuit boards 4 ie 
¢ Manchester Encoding is used in Ethernet/802.3 Bit Cell Boundaries 


¢ Differential Manchester Encoding is used by Token Ring/802.5. 
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Ethernet Components 


50 Ohm 50 Ohm 
Terminator 10BASES Thick Ethernet Terminator 


Transceiver 


AUI cable 


Network Interface 
Card (NIC) 


Repeater 


50 Ohm 
Terminator 


50 Ohm 
Terminator 


Network Interface 


Card (NIC) 10BASE2 Thin Ethernet 


a 
_[ Ground 


Network Interface 


Card (NIC) O 
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10BASES5 Thick Ethernet 


Coax Cable Network Interface Card (NIC) 


Tap 


Transceiver 


(Medium Attachment 
Unit or MAU) 


Computer 


Attachment Unit Interface (AUI) Cable 
(Transceiver Cable/Drop Cable) 
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10BASES5 Thick Ethernet 
50 ohm 50 ohm 
terminator Coax cable Transceiver terminator 
ul eae! 


* Maximum segment length = 500 meters 
¢ Maximum number of attachments per segment = 100 
¢ Maximum length of AUI cable = 50 meters 


¢ Minimum separation between attachments = 2.5 meters 
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10BASE2 Thin Ethernet 


50 ohm 50 ohm 


terminator RG 58 Cable BNC Tee Connectors terminator 


i 


1| [2 


e Maximum segment length = 185 meters 


e Maximum number of attachments per segment = 30 


e Minimum separation between stations = .5 meters 
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Grounding Considerations 


50 ohm 
terminating 
Center Shield resistor 


Conductor 


. 


Outer 
Jacket 


Earth 
If not properly grounded, trunk cables are subject to these electrical safety hazards: ag 


* Power surges, spikes or lightning hits contacting the cabling system and network components (computers, 
transceivers, NICs) 


¢ Static charge buildup on local cable and components 


* Differences in voltage potentials between safety grounds to which various network components are attached (ground 
loops) 


¢ The IKEE 802.3 standard specifies: 
* Connecting the shield of the trunk coaxial cable to an effective earth ground at one and only one point along the cable 


¢ Using insulating covers on coaxial connectors to ensure that they do not make electrical contact with earth ground 


The purpose of grounding is to prevent the building up of electrical voltages 
that may result in undue hazard to connected equipment or to persons. 
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10BASE-T Ethernet 


Concentrator or Hub 


RJ-45 jacks 


RJ-45 jack 


External 
Transceiver 


AUI cable 


Internal 
Transceiver 
and RJ-45 jack 


¢ Media = .4 to .6 mm diameter (26 to 22 AWG) unshielded wire in a multi-pair cable 


¢ Maximum distance from hub to transceiver = 100 meters 


¢ A hierarchical star topology is allowed, with up to four levels of concentrators 
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10BASE-T Ethernet 


Contact Signal X-over 


1 Transmit + 3 
2 Transmit - 6 
3 Receive + 1 | 


4 Not used SS 


5 Not used 

Jack at NIC 6 Receive - 2 RJ-45 Plug 
7 Not used 
8 Not used 
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Common Mode Rejection (CMR) 


+2.5v TX+ 


-2.5v TX- 


¢ For CMR to function properly, a pair of wires need to be twisted 
around each other. 


¢ CMR uses the voltage differences between each signal (TX+) and its 
mirror image (TX-) to determine the logic state of each bit. (The 
differential voltage is typically either 5v or Ov.) 


¢ Voltage spikes, when they occur, will induce themselves onto the wire 
pair but the difference in voltage (5v or Ov) will remain the same. 


¢ CMR is not perfect, as excessive electrical “noise” may defeat the 
cancellation process and destroy the transceivers at the hub and the 
node. 


© 
Network 
General 


Ethemet and Token Ring Network Analysis & Troubleshooting — 12/94 Rev. 4.45T 


21 


Her U. ’ to © Copyright 1990 - 1995 Network General Corporation. All rights reserved. 


Which Wires are Paired? 


Wire# 1 


3 < = < 
: + + 
6 <= eo <_ 
8 < | =< 
USOC EIA and AT&T 
Telephone 10BASE-T or Token 
wiring Ring wiring 


* — If you suspect noise is damaging data to a station, check to see if the receive pair has been split out. 


¢ If the receive pair is not twisted together, the wires will not be affected by the same noise, and Common 
Mode Rejection will not be effective. 
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The Evolution of 1OBASE-T Hubs 
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First Generation Hubs 

¢ Standalone hubs typically support 8-16 ports. 

¢ Some larger multi-slot hubs support from 4-12 
“line cards,” each containing 12-24 ports, for a 
total of about 288 physical ports. 

¢ All users were connected to same backplane, 
hence the same LAN. 


Second Generation Hubs 

¢ The need for autonomous work groups led to 
backplane segmentation of larger hubs. 

¢ Hub backplanes are physically separated into 
2 or 3 or 4 different Ethernet segments. 


Third Generation Hubs 

¢ Moves, Adds and Changes (MACs) of LAN 
circuits led to next logical step - software 
configuration of backplane into separate 
segments of varying size. 
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Third Generation Hubs 


iiduigiats 


¢ Hubs have become the networking platforms for the 90s. 
¢ Multiple “flavors” of hubs proliferate today. Some offer dedicated 
functions while others offer add-in functionality via line cards like: 
— Multiple media Ethernet segments: AUI, BNC, 1OBASE-T, FOIRL 
— Multiple media Token Ring segments: STP, UTP, fiber repeaters 
— Multiport local and remote bridges with FDDI backbone interfaces 
— Multiport, multi-protocol local and remote routers 
— Ethernet packet switches (Alantec PowerHub, Kalpana 
EtherSwitch, etc.) These are discussed in more detail later. 
— LAT and TCP/IP terminal servers for RS232-based devices 
— X.25 gateways, SNA gateways 
— Novell NetWare file servers (On a card!) 
— Etc. The list continues to grow. 
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Hub-to-Hub Connections 


¢ Hubs typically cross over the transmit and receive pairs from the nodes, 
internally. 


¢ Hub-to-hub connections must be “crossed over” so that the transmit pair 
of one hub’s port goes to the receive pair of the other hub’s port and 
vice-versa. 


¢ This can be done with a “crossover cable,” or at the punchdown block, 
or via an “MDI-X” port that internally crosses the pairs. 
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House Cabling 


Punch Down 


@™ Block © 


NIC Card 
Connection Wall Plate 


o 1 2 3 4 5 6 7 8 9 10 11 
o FREE SRT FREE e 


Patch Panels 


Beware of too many connections. Each one contributes to signal attenuation 
and represents a potential failure point. 
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Hubports Exercise 


Objective: Use two related trace files to find the cause of physical errors on 
a LOBASE-T network. 


Background: A user at one of the ports of a 1|OBASE-T hub was experiencing 
intermittent problems. Two Sniffer Network Analyzers were 
installed - one on a known good port and one at the port where 
the user was having problems. Data was captured between a 
NetWare client and NetWare file server that were on other ports 
known to be good. When the traces were compared, they 
showed different data. 


Procedure: Students will work in groups such that two Sniffer Network 
Analyzers are used to diagnose the problem. One Sniffer 
Analyzer will work with the HUBPORT1.ENC trace file and the 
other with HUBPORT2.ENC. 


1. Use Files -Load -Data to load one of the trace files below: 


C:\CAPTURE\TC102\HUBPORT1.ENC 
C:\CAPTURE\TC102\HUBPORT2.ENC 
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Hubports Exercise 
Continued 


2. Press F3 twice to display the data. Press F6 for Display options and turn on the 
Flags field. Press F3 to re-display the data. The flags have the following meaning: 
# There is a symptom associated with this frame 
C This frame had a CRC error 
R_ This frame is a runt frame - less than 60 bytes long 


3. Compare symptom frames (marked with a # flag) with the other Sniffer Analyzer’s 
trace. Which symptom frames are not in common to both traces? 


4. Think about some possible causes for the symptoms seen in frame 44 of 
HUBPORT2.ENC. Investigate which stations were having problems. Was the 
NetWare Core Protocol (NCP) client having problems reading data from the NCP 
server? Was the NCP server having problems? 


5. In this step we will investigate the Wrong reply sequence seen in frame 47 of 
HUBPORT2.ENC. Set a Display filter for the two Station addresses in frame 
47. Enable the Summary Display Option Two-station format and display the data. 
Which frame is present in HUBPORT1.ENC but is missing from the 
HUBPORT2.ENC trace file? A 
Network 
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Hubports Exercise 


Continued 


6. Set a Display protocol filter for only the IPX protocol and examine the 
Request and Reply numbering. Traditionally, NetWare uses a “ping-pong” type 
of communication protocol where every Request is acknowledged with a Reply 
bearing the same sequence number. Starting with IPX sequence N=127 in frame 
36, note how each Request and Reply pair use the same sequence number which 
is then incremented in the next pair. 


7. Is it now apparent why the Sniffer Analyzer posted a Wrong reply sequence 
symptom for frame 47? 


8. Let’s return to the main problem. You may want to disable your filters. (Press 
F5 and arrow down to Options. Arrow to the right and choose Use defaults.) 
Re-examine the data. Why was the user experiencing intermittent problems and 
what could you do to fix them? 
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AUI cable 


Network Interface 
Card (NIC) 
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Used to test the collision presence circuit. 


After successfully transmitting data, the 
Transceiver asserts the SQE signal on the 
collision presence circuit. 


When the Network Interface Card sees the 
SQE signal asserted, it then knows that the 
Transceiver can inform the Network Interface 
Card when a collision does occur. 


Not supported by Ethernet Version 1 
equipment 


Turn off SQE on a transceiver attached to an 
AUI port on a repeater or repeating hub. 
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10BASE-T Link Test Pulse 


e Many 1OBASE-T transceivers and 1OBASE-T hub ports feature a Link LED 
(usually green in color) that provides a confidence check of wire pair integrity. 


¢ A pulse is transmitted on one end’s transmit pair to the other end’s receive pair 
at a regular interval. The pulse is unique and will not be mistaken for a data 
frame or a collision. 


¢ It provides status of the hub’s transmit wire pair to the node’s receive wire pair 
(node Link LED), and the node’s transmit pair to the hub’s receive pair (hub 
Link LED.) 


¢ An illuminated Link LED is not a guarantee that the wire pair is polarized or 
phased correctly (TX+ to RX+, TX- to RX-) or that the wire pair is twisted 

together end-to-end (pin 3 twisted with pin 6, for example orange/white wire 

twisted with white/orange wire.) 
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Advantages and Disadvantages 


Specifications Advantages 


10BASE2 et ceeesin 
Thin Ethernet elatively low cost, 
Easy to install, 
Less susceptible to noise than TP 


10BASE5 Tested standard, 


Thick Ethernet Cables are sturdy, 
Less susceptible to noise than TP 


Can carry data farther, 
10BASE-F ig to electrical and radio frequency 
Doesn’t radiate EMI, 
More secure due to difficulty of tapping in 


Ethernet on fiber 


Easy to install, expand, and reconfigure, 
10BASE-T Troubleshooting is centralized to wiring 


closet, 
ae Bl Hubs offer network management and 


real-time monitoring, 
Low cost cabling 
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Disadvantages 


Moving one station (with the Tee connector) 
brings down the whole segment, 

Susceptible to congestion, 

Hard to troubleshoot 


Bulky, Expensive, Hard to install, 
Hard to troubleshoot, 
More components that could break 


Hard to install, 
Expensive, 
More components that could break 


Susceptible to noise and physical/environmental 
damage, 

Expensive hubs and network management 
software 
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Alternate Ethernet Components 


; Ethernet | 
Transceiver Be AU Gable oe = 
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, Multi-Port 
Transceiver ie AUI Cable ro 
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Ethernet Switch 
Neither Hub nor Bridge 


Switches packets between ports instead of passing packets over 
a common backbone like a hub does 


Provides full bandwidth at each port 
Learns which addresses are available at each port 


Looks at just the destination address and forwards immediately 
if possible 
Packets processed in parallel by very fast hardware. (Typical 


delay is only 40 microseconds, as opposed to 800 microseconds 
for some bridges.) 


May support software configuration of port paths, sort of an 
“electronically controlled patch panel” 


The wide range of functions, architectures, and costs make a 
comparison of switches difficult. 6 
Network 
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“Where Do I Attach My Sniffer?” 


SwitchProbe 
Port 


Protocol 
Analyzer 


¢ Switch vendors are working with network analyzer vendors to support monitoring and 
protocol analysis of switched networks. 


¢ For example, Kalpana’s EPS-2115 SwitchProbe AUI port allows a protocol analyzer to 
be logically attached to any one of the 15 segments to listen on this segment. The 
SwitchProbe port receives packets from the network segment that can then be 
interpreted by a DSS Server or Expert Sniffer Analyzer. 


¢ SwitchProbe ports from multiple EPS-2115M’s can be cascaded using a hub, providing 
the user with a method of managing multiple EtherSwitchs with a single DSS Server or 
Expert Sniffer Analyzer. 
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Alternate Ethernet Components Continued 
Multiport Transceiver (Fan Out Unit) 


In port has 
female socket 
all others have 

male pins. 


Fan Out Unit 
(Multiport Transceiver Unit) 


End 
Station 
End 
Station 
End 
Station 


Fan out units typically cause a propagation delay equal to 
two meters of cable. Therefore, the combined total of 
AUI cabling should not exceed 48 meters. 
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Alternate Ethernet Components Continued 
Ethernet Repeaters 


Repeater 


Cen 
AUI 


Multiport Repeater 
10BASE2 1OBASES5 


Soe ee 


e A repeater is a physical layer device that extends the network length and topology by 
regenerating and retiming the signal one bit at a time. 


¢ A repeater repeats every signal that comes in on one port onto every other port. A 
repeater does not isolate traffic or collisions. 


e A repeater is transparent to other stations on the network. A repeater is not 
addressable. It does not store and forward data. 


¢ A 10BASE-T hub acts as a multiport repeater. 
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Repeaters Are Responsible For: 
e Signal Amplification 


— Ensure the amplitude of signals is correct 


e Signal Retiming 


— Ensure encoded data output is within jitter tolerances 


¢ Data Repeat 


— Repeat all signals received on one segment to all other segments attached 
to the repeater 


e Preamble Regeneration 
— Remove preamble from received frame and regenerate it on sending frame 


e Fragment Extension 
— Extend repeated signal if less than 96 bits (including preamble) 
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Fiber Optic Inter Repeater Link (FOIRL) 


Specification for using fiber optic cabling to interconnect coax segments. 


Network A Network B 


Fiber Optic Fiber Optic 
Repeater Repeater 


Up to 1000 meters 


Fiber Optic Repeater 
Fiber Optic 1OBASES5 
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Propagation Speed of an Ethernet Signal 


¢ Determination of the maximum topology and minimum frame size 
depends on information about the speed that data travels. 


e Data travels at less than the speed of light (c) 


¢ c= speed of light in a vacuum = 300,000 kilometers per second 
(approximately 1 foot per nanosecond) 


e Thick Coax Cable - signal travels at .77c (231,000 km/sec) 
e Thin Coax Cable - signal travels at .65c (195,000 km/sec) 

e Twisted Pair Cable - signal travels at .59c (177,000 km/sec) 
e Fiber Cable - signal travels at .66c (198,000 km/sec) 


e AUI Cable - signal travels at .65 c (195,000 km/sec) 
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So, How Long is a Bit? 


For thick Ethernet: 


231,000 km/sec divided by 10 million bits per second = 
23.1 meters 


So, a bit occupies 23.1 meters on thick Ethernet, slightly 
fewer meters for thin and twisted pair Ethernet. 


An extension of 32 bits would cause an additional 32 x 
23.1 meters or 739 meters to be busy, which makes it 
possible to busy out a maximum size Ethernet segment. 


This explains why a repeater extends a fragment frame by 
at least 32 bits. It also explains the 32 bit jam added to a 
collision frame (explained in the Ethernet Data Link Layer 
section.) 
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802.3 Maximum Topology 
(5-4-3 Rule) 


Segment 1 Segment 2 Segment 3 Segment 4 Segment 5 


Station 1 Repeater Set 1 Repeater Set 2 Repeater Set 3 Repeater Set 4 Station 2 


¢ The maximum transmission path permitted between any two stations is five segments and four repeater sets. 
* Of the five segments a maximum of three may be coax segments; the remainder are link segments. 


e A coax segment is a cable terminated at both ends in its characteristic impedance, with a maximum end-to-end 
propagation delay of 2165 Ns for 1OBASES and 950 Ns for 1OBASE2. 


¢ A point-to-point link segment is a non-coax segment, terminated in a repeater set at each end, with a maximum 
end-to-end propagation delay of 2570 Ns. A 10BASE-T connection between a hub and station is also considered a 
point-to-point link. 


¢ If there are no link segments on a transmission path, there may be a maximum of three coax segments on that path 
given current repeater technology. (From the 1992 edition of 802.3) 
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Minimum Frame Length Determination 


Segment 1 Segment 2 Segment 3 Segment 4 Segment 5 


Station1 Station2 Repeater Set 1 Repeater Set 2 Repeater Set 3 Repeater Set 4 Station 3 


* The minimum length for an Ethernet frame is 64 bytes or 512 bits. This is based on the round-trip propagation 
delay on a frame for the worst-case scenario. 


* Station 1 transmits to adjacent Station 2 on Coax Segment 1. 


¢ Station 3 just misses hearing Station 1’s transmission and also transmits. Station 3’s transmission collides with 
Station 1’s transmission. 


¢ The damaged frame travels back down the network to inform Station 1 that a collision has occurred. This takes 
approximately 50 microseconds or 500 bit times. 


* The minimum frame length is defined such that the 


* — message from Station 1 is long enough so that Station 1 is still sending when the collision is detected 


* the resulting runt message from Station 1 is short enough such that Station 2 (the receiver) can throw out 
the message on the basis of it being too short 
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University 


Ethernet Version 2 Maximum Topology 


The Version 2 specification explained the maximum topology slightly differently 


500 Meters Maximum 500 Meters Maximum 500 Meters Maximum 


“wan went 


AUI Cable 
—a@=——=-_—-550 Meters 

Repeater : 
Maximum 


Fiber Optic 
Repeater 
@eeee0 


Fiber Optic 


= Up to 1000 meters — 
of fiber optic cable 


3x500 Meter coax cable segments 1500 meters 
1x1000 Meter fiber optic link + 1000 meters 
6 x50 Meter AUI cables + 300 meters 


= 2800 meters total distance between 
transmitting stations. 
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0000000000000000000000000000 


ACME 10BASE-T Concentrator 
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Exercise 


Objectives: Examine the effects of exceeding the 802.3 topology specifications. 
Observe the results of mixing coaxial cable on an Ethernet network. 


Determine if there is a relationship between collisions and a LAN 
Overload symptom. 


Background: You have been called in to investigate problems on an Ethernet 
network that was designed by someone else. As far as you can tell, 
the network looks like the drawing below. 


Network Diagram 


Thin Ethernet 
RGS58 coax 


50 meters 
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Exercise 


Continued 


1. Load the file C:\CAPTURE\TC102\HUB6ARC.ENC. 
2. Press F3 to view the Expert Overview screen. 


3. Arrow to the left and down and press ENTER on Global Symptoms. 
What is the symptom? 
What is the Start Time for the symptom? 
What is the Duration of the symptom? 


4. Press Escape and then press F2 to view the Global Statistics screen. In the upper 
right quarter of the Global Statistics window are Bandwidth Utilization statistics. 


What was the maximum bandwidth utilization? 


Could this cause a LAN Overload symptom? 
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Exercise 


Continued 


5. Press F2 to view the Expert Overview screen again. What are the symptoms and 
diagnoses at the DLC Stations layer? Do all the stations seem to be affected by the 
problems at this layer? 


6. Press F3 to display the data. 


7. Normally, we would expect to see an increase in collisions during the same time 
bandwidth utilization increased. Press F6 for Display Options and turn on 
Absolute time so we can investigate the time of the damaged frames in this trace. 


8. Set up a Display filter to only display bad frames, (i.e. turn off Good frames.) 
Also turn on the Flags Display option so we can see the problems associated with 
frames. The flags have the following meaning: 

There is a symptom associated with this frame 

This frame had a CRC error 

This frame is arunt frame - less than 60 bytes long 

A collision occurred (not available on all analyzers) 


x AQ + 
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Exercise 
Continued 


9. Press F3 to display the data and examine the bad frames. Did most of the bad 
frames happen during the LAN Overload? If not, what else could be a cause of the 
bad frames? 


10. In order to examine the size of the bad frames, turn on the Bytes Summary Display 
option. The Sniffer Analyzer stops capturing a frame when a collision causes the 
bits to no longer be recognizable. With a network only 50 meters in length, would 
you expect to see collisions occurring so far into the Ethernet frames? 


11. After investigating this network traffic we interviewed the users of this network and 
discovered that a user added himself to the Thin Ethernet using a 10 meter length of 
ARCNET cabling (RG62.) Given the severity of the problems, should the network 
manager insist that the user connect to the network with RG58 cable? 


12. In summary, what changes would you make to the design of this network to reduce 
the errors? What problems are there in addition to the ARCNET cable? 
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Troubleshooting Cabling Problems 


AUI Cable Connector Pin Assignments - Beware of differences 


Ethernet Version 2 
Shield 

Collision Presence + 
Transmit + 
Reserved 

Receive + 

Power return 
Reserved 

Reserved 

Collision Presence - 
10 Transmit - 

11 Reserved 

12 Receive - 

13 Power 

14 Reserved 

15 Reserved 


OMANMNBRWNK 


| ==] _. 


IEEE 802.3 

1 Control In circuit Shield 
2 Control In circuit A 

3 Data Out circuit A 

4 Data In circuit Shield 

5 Data In circuit A 

6 Voltage Common 

7 Control Out circuit A 

8 Control Out circuit Shield 
9 Control In circuit B 

10 Data Out Circuit B 

11 Data Out circuit Shield 
12 Data In circuit B 

13 Voltage Plus 

14 Voltage Shield 

15 Control Out Circuit B 
Shell - Protective Ground (Conductive Shell) 
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Troubleshooting Cabling Problems 


Continued 


e Use a multi-meter 


An Ethernet coaxial cable properly terminated at one end measures 50 
ohms at the other end. 


An Ethernet coaxial cable properly terminated at both ends measures 25 
ohms in the middle. 


A short yields 0-10 ohms. 


An open measures above 1000 ohms. 


e Use a Time Domain Reflectometer (TDR) 


A TDR sends a pulse and measures the reflection caused by opens and 
shorts. Distances to the problem are calculated based on the cable’s 
propagation velocity. 


¢ Use a protocol analyzer cable tester 
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Sniffer Analyzer Cable Tester 


The analyzer conducts its cable test by transmitting short 
frames and examining every transmitted and received bit 
logically and electrically. If there are discrepancies, it may 
conclude that there is a problem with the transmission medium. 


This media test can be conducted continuously by using the 
Cable Tester function. 


You can also have the analyzer run the cable test when you first 
capture. If you do not want this test run, you can disable it with 
the Cable test option in the analyzer’s Options menu. 


If no fault is found, the analyzer displays “No cable fault 
found.” Otherwise, the analyzer displays “Cable open” or 


“Cable short.” 2 
Network 
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Cable Tester Exercise 
Optional 


Objective: Develop familiarity with the Sniffer Network Analyzer Cable 
Tester function. 


Background: Prior to capturing live from the Ethernet, the Sniffer Network 


Analyzer performs a basic cable test. This media test can also 
be conducted continuously by using the Cable Tester function. 


1. The Instructor will start Capturing from the Ethernet initially. How many 
frames are seen on the overhead projection? 


2. Each student in turn, starting on the instructor’s left, will start capturing from 
the Ethernet. 


a) How many frames are seen by each student on their analyzer? 


b) How many frames are seen on the overhead projection? 
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Cable Tester Exercise 


Continued 


3. Examine the Bad CRC versus Good Frames count on the overhead 
projection. 


a) How many good frames are seen? 
b) How many frames have CRC errors? 
c) Are the counts the same? 


d) CRC errors are caused by: 


i) achange in any bit within the frame usually as a result of 
electrical noise (EMI, RFI) 


ii) a CRC that was incorrectly calculated (or purposely overwritten) 
on the transmitted frame 


What could the cause be here? 
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Cable Tester Exercise 


Continued 


4. Once everyone has started capturing, stop the capture and display the data. 
5. What are the source and destination addresses of the frames? 


6. Examine the Cable Tester frames carefully. 
a) Is 6EGE a valid frame length? 
b) Is 6E6E a valid DSAP or SSAP? 


c) Does anything about this frame, apart from the addresses, look normal? 


7. By default, what do Ethernet nodes normally do with a frame that contains a 
bad CRC? 
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Ethernet Physical Layer Summary 


e Multiple physical layer specifications exist - 1OBASES, 
1OBASE2, 1OBASE-F, 1OBASE-T 


e Alternate Ethernet components include switches, multiport 
transceivers and repeaters. A 1OBASE-T hub is actually a 
repeater. 


e Problems to watch out for at the physical layer include: 


Ethemet and Token Ring Network Analysis & Troubleshooting - 12/94 Rev. 4.45T 


Cabling problems such as opens, shorts, old AUI cables, cabling with the 
wrong electrical characteristics, for example ARCNET cabling 


Twisted pair cabling problems , such as using cables that don’t have the 
correct pairs twisted 


Attenuation caused by too many connections 


Excessive propagation delay caused by breaking the 5-4-3 rule 
Using SQE on devices that don’t support SQE 
Hardware problems, such as bad ports on hubs 
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Ethernet 
Data Link Layer 
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Ethernet Frame Format 


Dest Source Type Data 


46 - 1500 ae 


1010...10101011 


Preamble: 
Destination: 
Source: 
Type: 

Data: 


FCS: 


|~«—______— Sniffer Capture Range +] 


64 bits (8 bytes) of synchronization 

(6 bytes) address of destination node 
(6 bytes) address of source node 

(2 bytes) specifies upper layer protocol 


The data link layer views all information handed to it by higher layers as data, 
whether it is protocol information or user data. 


Frame Check Sequence, Cyclic Redundancy Check (CRC) or checksum value 
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$02.3 Frame Format 


Logical Link 
Control a 
~<— 802.2 —_ 


Preamble Dest Source Length DSAP SSAP Control Data +Pad 


1010...10101011 


_—— Sniffer Capture Range rd 


Preamble: 64 bits (8 bytes) of synchronization 
Destination: (6 bytes) address of destination node 


Source: (6 bytes) address of source node 

Length: (2 bytes) specifies the number of bytes (3-1500) in the LLC and data fields 

DSAP: (1 byte) Destination Service Access Point; receiving process at destination 

SSAP: (1 byte) Source Service Access Point; sending process in source 

Control: (1 byte) Various control information (2 bytes for connection-oriented LLC) 

Data: The data link layer views all information handed to it by higher layers as data, whether it is 
protocol information or user data. 

Pad: Pads frame to minimum of 46 bytes of data and LLC so collisions can be detected 

FCS: Frame Check Sequence, Cyclic Redundancy Check (CRC) or checksum value 
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The Two Parts of the IEEE Link Layer 


Network Layer Network Layer 
Wats Logical Link Control 
Link Sublayer Data Link Control 
La Media Access Control Layer 
yer 
Sublayer 

(e.g., IBASES, 802.3, 802.5) (e.g., Ethernet, ARCNET, LocalTalk) 

e LLC Sublayer 


— Flow Control 
— Error Control 
— Layer 3 Service Interface 


e MAC Sublayer 


— Frame Transmission and Reception, Channel Access Control, and Framing 


Physical Layer Physical Layer 
IEEE Networks Non-IEEE Networks 
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Media Access Control (MAC) 
Frame Transmission 


e Construct frame from data supplied by upper layer 


(A legal frame must be at least 64 bytes long and no 
longer than 1518 bytes - counting the CRC but not the 
Preamble. If necessary, the 802.3 MAC layer adds a 
pad so that the frame is at least 64 bytes). 


¢ Calculate the CRC 
e Carrier Sense - defer to stations already transmitting 


e Interframe spacing - there is always at least a 9.6 micro- 
second delay between frames 


¢ Collision detection and enforcement, collision backoff 
and retransmission 
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MAC Frame Reception 


* Recognize if frame is destined for this station 
¢ Discard frame if it is too short (runt) 


¢ If frame does not end on an 8-bit boundary, truncate it 
to the nearest 8-bit boundary 


e Calculate CRC. If the calculated CRC does not match 
the CRC in the frame, discard the frame. 


If the discarded frame also did not end on an 8-bit 
boundary, report Alignment Error; otherwise report 
CRC error 


¢ Pass good data to upper layer 


Since version 4.0, the Sniffer Analyzer does not 
distinguish between CRC and Alignment errors. 
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Ethernet Contention Access Control 
e All network stations contend for available network bandwidth 


e Simultaneous transmits cause collisions, which produce runt 
frames 


¢ Works well with bursty traffic 


_f 
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On a collision, the MAC layer sends a 32-bit jam and then waits a 
random amount of time and tries again. 


If repeated collisions, it tries again up to 16 times. 


Each time it retries, it waits a longer amount of time. 
(It becomes more and more polite.) 


However, after the 10th retry, it does not increase the random delay 
time. (It doesn’t get too polite!) 


Uses truncated binary exponential backoff (see next page.) 
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Truncated Binary Exponential Backoff 


¢ BackoffTime = RandomNumber multiplied by SlotTime 
e SlotTime = time to propagate 512 bits (i.e. 51.2 useconds) 
e RandomNumber is greater than or equal to 0 and less than ig 


¢ n=number of times it has tried for first 10 times or 
n= 10 for the 11th through 16th try 


¢ After 16 tries, report error to the upper-layer protocol 
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Collisions and Runts 


* Collisions are normal, especially during the preamble! 


¢ Legal collisions cause runt frames — frames that are truncated at < 
512 bits. 


* Collisions that cause runts are legal because the sending station may 
not have had time to hear that someone else is sending. 


¢ Late (illegal) collisions cause frames to be truncated beyond 512 bits 
¢ Late collisions are caused by out-of-spec cabling or a bad NIC card. 


* Though these frames aren’t recognized as runts, they will probably 
have a CRC error. 
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The Birth Of A “Runt” 
(Step One) 


Station #1 Station #2 


Start of 
Station #2 


Start of 
Station #1 


Two stations listen to the wire and, hearing no activity, they transmit their frames 
simultaneously. 


The Sniffer Analyzer sees the closest frame go by. 


Both stations continue to listen to the wire as they send their respective frames. 
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The Birth Of A “Runt’ 
(Step Two) 


Station #1 


Station #2 


Start of 


Station #2 Start of 


Station #1 


Station #2’s transceiver senses a collision because of the 
irregular voltage on the wire. 


Station #2 sends a 32 bit jam and stops transmitting the frame. 


The Sniffer Analyzer continues to see the frame from Station #1. 
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The Birth Of A “Runt” 


(Step Three) 


Station #2 


_ 


Station #1 


ica 


Start of 


Station #1’s transceiver senses a collision because of the irregular voltage 
on the wire. 


Station #1 sends a 32 bit jam and stops transmitting the frame. 


The Sniffer Analyzer has captured Station #1’s frame up to the point where 
transmission encountered interference from Station #2’s frame. 


The Sniffer Analyzer now sees bit errors created by the conflicting signals. 
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The Birth Of A “Runt’’ 


(Step Four) 
Station #1 Station #2 
——— Sniffer se 
= — = 


End of 
Station #2 Station #1 


Frame Frame 
eee i | i] i | a i | eee 


Both stations have prematurely stopped transmitting their frames. 


Since Station #1’s entire frame never made it to the wire ... 


... a “Runt” is born. 
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Exercise 


Objective: Use both Expert and Classic options to identify errors on an Ethernet 
network. 


Background: The NFS client pc150 is experiencing problems communicating with the 
NFS server natco-4. The client and server are separated by a repeater. 


1. Set up the Sniffer to Capture in Classic mode. For the Screen format, choose 
Pair counts. 


2. Change the Capture From field to indicate C:\CAPTURE\TC102\FRAGS.ENC. 


3. Press F10 and Enter to start the capture. Hint: Hold down the Alt key to speed up 
the capture from file. 
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Exercise (continued) 


4. When you see ENDFILE, complete the following: 
4, Sood 
—___ Short/Runt 
____ Bad CRC 


5. Approximately what % of the frames captured were error frames? 


6. What might cause the question marks in the address fields on the Pair counts 
screen? 


7. Now set up the Sniffer to Capture in Expert mode. 
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Exercise (continued) 


8. Press F10 and Enter to start the capture. Hint: Hold down the Alt key to 
speed up the capture from file until you see ENDFILE. 


9. Arrow down to the DLC Stations layer on the Expert Overview screen. 


a) How many diagnoses did the Sniffer identify? 


Press Enter on the DLC Stations layer. b) What is the diagnosis? 


10. Press F1 to read the Explain screen. After reading the Explain screen, what 
ideas do you have for troubleshooting this problem? 


When you are finished reading, press Escape. 
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Exercise (continued) 


Press F3 to display the data. 
a) In the first 19 frames what NFS procedure is the NFS client (pc150) 
performing on the NFS server (natco-4)? 


b) Are the NFS procedures completing successfully? 


Press F6 for Display options. Turn on the Flags field of the Summary 
window. Press F3 to display your data again. Identify which frames are 
damaged. (Hint: most of the damaged frames are at the end). The flags have 
the following meaning: 

# There is a symptom associated with this frame 

C This frame had a CRC error 

R This frame is a runt frame (short frame) - less than 64 bytes long 


Do these errors warrant further investigation in your opinion, and if so how 
would you approach your investigation? 
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IR emote 
Bridge 


Remote 
ieee 
Bridge 


A bridge is a store-and-forward Data Link layer device. 


A bridge increases the size of a network without increasing bandwidth contention, since 
segments separated by a bridge are in different collision domains. 


A bridge is protocol independent. A bridge bases its forwarding decision on the Data Link 
layer destination address in a frame. 


Bridges only pass valid frames. 
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Ethernet Bridges Are Responsible For: 
¢ Flooding 


— Ifthe destination address is unknown or if it’s a multicast/broadcast 
destination address, the bridge sends the frame out each port except the 
port on which the frame was received. 


e Learning 


— A bridge is promiscuous and sees every frame on the segments to which 
itis attached. By examining the source address in frames, a bridge learns 
which stations are on which side of it. 


e Forwarding 


— Once a bridge learns where stations are, it only sends a frame out the 
correct port to reach the destination station. 


e Filtering 


— Ifthe destination address is out the same port that the frame came in on, 
the bridge just drops the frame. 


e User Filtering 


— Allows a network manager to filter based on protocols, addresses, packet 
type, etc. to increase the network's efficiency or to add security measures 
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Station B 


Network Y 


The Spanning Tree Algorithm handles loops by disabling alternate routes. Bridges use 
Bridge Protocol Data Unit (BPDU) frames to negotiate a unique device-to-device path. 


Without the Spanning Tree, in the picture above, when Station A sends a frame to Station B: 
* Both bridges forward the frame to Network X, so Station B receives two copies. 


¢ The bridges will see each other’s forwarded frames on Network X. If they haven’t 
learned where Station B is, then they will send the frame back onto Network Y. The 
frame will loop forever! 


¢ The bridges will see frames from Station A on both Network Y and Network X, so their 
Learning Process will continually update the information on where Station A resides. 
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Spanning Tree 


¢ The bridge with the lowest “bridge identifier” is elected to 
form the root of the tree. 


¢ The network manager configures a cost for each port on the 
bridge. For example, the cost for a T1 link could default to 
100, while the cost for a 56 kbps line could default to 500. 


¢ The path cost to the root from a bridge is the sum of all the 
port costs between that bridge and the root bridge. 


e A bridge periodically sends a BPDU frame out each port 
advertising its total path cost to the root from that port. 


e The tree is formed by using the lowest cost paths to the root. 


e Ifa “branch” of the tree fails, the Spanning Tree protocol 
automatically reconfigures the tree. 
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Spanning Tree (continued) 


100 


mus = Logical Spanning Tree 


Non-active links 
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Routers 


Application Application 


ROUTER 


Physical Physical Physical Physical 


¢ Routers only pass protocols that they “understand.” 


¢ Examples include TCP/IP to TCP/IP, DECnet to DECnet, 
etc. MultiProtocol routers understand many network layer 
protocols. 


e “Brouter’ is a non-standardized term for a device that 
Bridges and/or Routes as configured by a customer. 


O 
Network 
General 


Ethernet and Token Ring Network Analysis & Troubleshootings 6/94 Rev. 4.4T 


82 


© Copyright 1990 - 1994 Network General Corporation. All rights reserved. 


Capturing in a Bridged Environment 


The Sniffer will: 


— see frames going between Nodes 
A, B and C. 


— see traffic bridged between the 
two networks. 


— not see frames going between 
Nodes D, E and F. 


At the Ethernet data link layer, the 
source and destination addresses will be 
the end node’s addresses. You will not 
see the bridge’s addresses. 


Example: 


If Node D communicates with Node A, the 
Sniffer can analyze the session. The Ethernet 


addresses will be Node D’s and Node A’s. 


O 
Network 
Ethernet and Token Ring Network Analysis & Troubleshootings 6/94 Rev. 4.4T K * General 


83 


U. ‘wtanitegm © Copyright 1990 - 1994 Network General Corporation. All rights reserved. 


Capturing in a Routed Environment 


The Sniffer will: 
— see all traffic on Network 201 
between Nodes A, B and C 


— All traffic to and from Network 
201 and Network 200 


— notsee the traffic on Network 


200 between nodes D, E and F 


At the data link layer, the source and 
destination Ethernet addresses will be 
the node and the router. 


At the network layer, the source and 
destination addresses will be the 
nodes’ network layer addresses. 


Example: 


If Node D communicates with Node A, the Sniffer sees the 
Ethernet addresses of the router and Node A. 


At the network layer, the Sniffer sees the network layer addresses 
of Node D and Node A. (i.e. IP, XNS, or AppleTalk addresses) 
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Ethernet Troubleshooting Summary 
Propagation Delay 


¢ Users see 
— Slow response time 
— Users at end of topology may have more problems than other users 
e Sniffer sees 
— “Physical errors” symptoms or diagnoses 
— Damaged frames (CRC errors) 
— Only a few runts (many frames will be legal minimum length) : 
— Collision counter will be high if cable is too long 
— May not be high if collisions are across a repeater 
¢ Look at frames for 
— What looks like another station’s preamble after 64 bytes (late collisions) 
—- AAAAAAAAAA... or ; 
~~ al So BSB Oo Oo) OD ae OF 
— A portion of the preamble 
¢ Cause 
— Cable is too long, or out of spec, or there are too many repeaters or hubs 
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Ethernet Troubleshooting Summary (cont’d) 
Noise 


e Users see 

— Slow response time 

— Intermittent disconnections and problems connecting to network services 
e Sniffer sees 

“Physical errors” symptoms or diagnoses 

— Damaged frames (CRC errors) 

— Not many more runts or collisions than baseline 
e Cause 

— Radio Frequency Interference (RFI) 

— Electromagnetic Interference (EMI) 

— Poor quality cabling that was not meant for high speed data transmission 
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Ethernet Troubleshooting Summary (cont’d) 
Jabbering Station 


¢ Users see 
— Slow response time reported by all users on one side of a repeater 


— Problems connecting to network services reported by all users on one side 
of a repeater 


e Sniffer sees 
“Physical errors” symptoms or diagnoses 
— Damaged frames (CRC errors), Collisions, Runts 
— Ifyou move Sniffer to other side of a repeater you no longer see errors 
¢ Look at frames 
— For giant frames 
— For obvious jabber patterns such as numerous FFs, AAs or 55s 
— Look for more than 8 bytes of AAs or 55s 
— Analyze which sessions are affected to isolate location of bad transceiver 


e Cause 
— Bad transceiver, or transceiver with SQE disabled 
— Transceiver that does not implement 802.3 jabber control 
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Ethernet Troubleshooting Summary (cont’d) 
Lack of Termination or Open 


e Users see 
— Problems connecting to network services reported by all users on one side 
of a repeater 
¢ Sniffer sees 
— 16 successive collisions (on larger networks) 
— Nothing!(on short networks) 
— Fails cable test 


¢ Cause 
— Cable break or missing terminator or terminator that’s not doing its job 
— Wrong terminator (ARC NET uses 93 ohm terminators) 
— Ignorant users! 
— Moving equipment 
— Heavy equipment being placed on top of cables 
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Ethernet Troubleshooting Summary (cont’d) 
Signal Reflection 


e Users see 

— Slow response time 

— Intermittent problems connecting to network services 
e Sniffer sees 

“Physical errors” symptoms or diagnoses 

— Damaged frames (CRC errors) 

— Runts 
e Look at frames 


— To see if frames from a single station are always damaged at the same 
point, which will help you isolate the location of the problem 


e Cause 
— Kink in cable 
— Transceiver not connected properly 
— Impedance mismatch 
— Flakey terminator 


© 
Network 
General 


Ethermet and Token Ring Network Analysis & Troubleshootings 6/94 Rev. 4.4T 


89 


© Copyright 1990 - 1994 Network General Corporation. All rights reserved. 


Ethernet Troubleshooting Summary (cont’d) 
Too Much Traffic 


¢ Users see 
— Slow response time 


— Intermittent problems connecting to network services reported by all 
users 


e Sniffer sees 


— Collisions - many of them will be in the preamble 

— Runts and CRC errors 

— “Physical errors” symptoms or diagnoses for collisions beyond preamble 
High utilization statistic 


e Look at frames 


— To see what users are doing and how you can subdivide the network 


e Cause 


— Too many stations that are all very busy 
— A highly repeated or bridged network that really should be routed 
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Ethernet Troubleshooting Summary (cont’d) 
Interoperability Problems 


e Users see 

— Users cannot connect to specific network services 
e Sniffer sees 

— Nomore error frames than usual 


¢ Look at frames 


— To see if the user’s system is using Ethernet frame format and the 
network service is using 802.3 frame format (or vice versa) 


— To see if the user’s system is using SNAP frame format and the network 
service is not (or vice versa) 
e Cause 


— Driver software configured incorrectly 
— Some implementations only support Ethernet or only 802.3 
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Ethernet Troubleshooting Summary (cont’d) 
Broadcast Storms 


e Users see 


— Slow response time reported by users on one side of a router 


— Intermittent problems connecting to network services reported by users 
on one side of a router 


— Problem crosses bridges 
e Sniffer sees 
— Lots of broadcast and/or multicast traffic 
“Broadcast/Multicast storm” symptom or diagnosis 
e Look at frames 
— To see which upper layer protocols may be causing the problem 


e Cause 


— Network software configuration problems 
— Software bugs or lack of robustness 
— Abridged network that really should be routed 
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Token Ring 


Principles 
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Token Ring Concepts 


Logical and physical rings comprised of 
* Point to point simplex links 


¢ Closed loop cabling system 


Token passing access method 
¢ Special control message 
e Gives permission to transmit data 


¢ Priority scheme 
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Token Passing Schemes | 
ARCNET 


¢ Attached Resource Computer NETwork 
(1977) 

¢ Star configuration 

¢ Broadcast token 

¢ Data rates of 2.5 and 20 Mbps 


IEEE 802.4 Token Bus 
¢ Logical ring configuration 
¢ Bus topology 
¢ Logical order of stations 
e Uses broadband coaxial cable 


Data rates of 1,5, and 10 Mbps 


IEEE 802.5 Token Ring 
¢ Data rates of 4 and 16 Mbps 
e Star Cabling Topology 
¢ Electrically a ring, physically wired like a star 
¢ Technology Dominated by IBM 
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Basic Token Ring Configuration 


Workstation A 


— 


es 


Workstation B Workstation C 


Server 


A series of point-to-point connections. 
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Sending Data - Step One 


Workstation A captures the token 


2. Workstation A converts the token to 
a data frame 


3. Workstation A addresses the frame 
to Server and sends the frame 


Workstation C 
4. Workstation B receives and re- 
sends the frame 
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Sending Data - Step Two 


7 Workstation A 


#1 \ 


Workstation Workstation C 
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Server recognizes its address in 
the frame 


Server sets the Address 
Recognized bits 


Server copies the data and sets 
the Frame Copied Bits 


Server re-sends the frame 


Workstation C receives and re- 
sends the frame 
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@ 
Sending Data - Step Three 


Universitiym 


1. Workstation A sees its own 
frame come back and strips 
the frame from the ring 


oA 2. Workstation A generates a 
Workstation BY Workstation C free token 
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16 Mbps Early Token Release (ETR) 


Under 4 Mbps Token Ring, the token is not released 
until a data frame completely circulates the ring. 


16 Mbps ETR allows a token to follow a data frame. 
More than one frame may be on the ring. 


ETR changes the way the priority scheme works. 

— The use of priority may be disabled since a frame may be 
transmitted in its entirety and the token released before the 
frame header returns to its originating station. 

ETR overcomes delays due to: 
— Physical ring length 
— Number of active stations 


— Data rate 
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16 Mbps Early Token Release (ETR) 


—Without ETR eWith ETR 

—Station A obtains a Free Token. —Station A obtains a Free 

—Station B is ready to transmit but Token. 

must wait for a Free Token. —Station B is ready to transmit 

—Station A releases a frame and but must wait for a Free Token. 

waits for its return. —Station A releases a frame, 
—The time it takes for the frame appends a Token to the end of its 
to return is affected by the frame, and waits for its return. 
number of stations online, the —Station B receives the token and 
size of the ring, and the data can now transmit a frame. 
transmission rate. —Station A receives the frame 

—Station A receives the frame back, back. 


and releases the Token. 
—Station B receives the token and 
can now transmit a frame. 
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Ring Maintenance Functions 
Active Monitor 


e Any station on the ring may assume the role of Active Monitor 
e Provides master clocking to the ring 


e Inserts a minimum 24 bit propagation delay (latency buffer) 
which assures that a free token can be circulated properly 


e Compensates for frequency jitter .Confirms that a good token 
or data frame is detected on the ring every 10 milliseconds 


e Broadcasts a Media Access Control frame saying “I’m alive”’ 
every seven seconds (Active Monitor Present) 


e Removes any circulating frames 
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Ring Maintenance Functions 
Standby Monitors 


e All stations except the Active Monitor are Standby Monitors. 


¢ Each Standby Monitor broadcasts a “Standby Monitor Present” 
message every seven seconds. 


¢ Each Standby Monitor is “standing by” to become the Active 
Monitor in case the Active Monitor goes away. 


e Ifthe Active Monitor stops doing its duties, a Standby Monitor 
will attempt to become the Active Monitor. 
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Ring Maintenance Functions 
Neighbor Notification 


e Also known as Ring Poll. 


e Every station learns and remembers who its Nearest Active 
Upstream Neighbor (NAUN) is from the Active Monitor Present 
and Standby Monitor Present frames. 


e When a station reports a problem, it also reports who its NAUN 


is. This helps the network administrator find the “fault domain.” 


Station B 
NAUN = Station A 


UL} 


Station A 
NAUN = Station C 


__ 54] 


Station C 
NAUN = Station B 


sends 


Active Monitor Present 
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Ring Poll Process 


Active 


Standby 
Monitor 


ma] ) 


=i 


Standby 
Monitor 
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University 


Ring Poll Process 


Continued 


Active 
Monitor 


Standby 
Monitor 


Standby 
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Ring Poll Process 


Continued 


Active 


Standby 
Monitor 


Standby 
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Ring Poll Process 


Continued 


Active 
Monitor 


Standby 
Monitor 


Standby 
Monitor 


Standby 
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Ring Poll Process 


Continued 


Standby 
Monitor 


ner __—=}, 


Standby 
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University 


Ring Poll Process 


Continued 


Active 
Monitor 


Standby 
Monitor 


Standby 
Monitor 


Standby 
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Ring Poll Process 


Continued 


Active 


Standby 
Monitor 


FCI=0 ARI=0 SMP 


Standby 
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Ring Poll Process 


Continued 


Active 
Monitor 


Standby 
Monitor 


Standby 
Monitor 
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Ring Poll Process 


Continued 


Active 


Standby 
Monitor 


Standby 
Monitor 
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Monitor Contention 


e This is the bid process to select a new active monitor for 
the ring 


e The claim token frame is issued by any station detecting 
the absence of the active monitor 


e Other stations also send claim token frames if they have a 
higher address 


e A station stops sending claim token frames if it sees a 
higher addressed station also sending 


¢ Otherwise the station re-transmits frames. It becomes the 
new active monitor when it copies 3 of its own frames 


e New active monitor will then send ring purge frame 
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Monitor Contention 
Continued 


Reasons for a Standby Monitor to Enter Monitor Contention: 
e no frame or token detected in 2.6 seconds 

e no AMP in 15 seconds 

e frequency error (not detected by active monitor) 

e receives its own Beacon frame 

e detects a circulating Beacon frame 


e while in Beacon repeat mode, detects no Beacon frame in 200 
milliseconds 


e signal loss condition 


O 
Network 
Ethernet and Token Ring Network Analysis & Troubleshootings 6/94 Rev. 4.4T K P - 14 General 


116 


2 © Copyright 1990 - 1994 Network General Corporation. All rights reserved. 
E I 


Objective: Determine which station becomes the active monitor after monitor 
contention. 


Background: This is a network of 4 Sniffers generating traffic and one Sniffer 
(NwkGnlE01449) just capturing traffic. The Sniffers that are generating 
traffic send AMP or SMP frames. The Sniffer that is capturing is not a 
standby or active monitor. The generating Sniffers send test frames — 
Unnumbered Information (UI) frames to the Destination Service Access 
Point (DSAP) of 0, which is not a standard SAP, so the Sniffer does not 
decode the upper layers. 


1. Load and display the file C:\CAPTURE\TC105\ACTMON2.TRC. 


2. Press F3 to display the data. 


3. List the ring order, starting with the active monitor. 
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Exercise 
Continued 


4. Does the active monitor send Active Monitor Present approximately 
every 7 seconds? 


5. In which frame does the ring enter monitor contention? 
6. Which station becomes the new active monitor? 
7. Why did the ring enter monitor contention? 


8. Does the station that was originally the active monitor ever return to 
the ring? 
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IBM Token “Ring” is Actually 
Wired as a Star Configuration 
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Medium Interface Connector (MIC) 


¢ Itis aself shorting connector 


¢ Four conductor, genderless 
Receive - Red 
Receive + Green 
Transmit - Orange 
Transmit + Black 
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NIC Connector 


Receive - 
(Red) Receive + 
(Green) 
Transmit - 
Transmit + (Orange) 


(Black) 


¢ DB-9 Connector 


e Interfaces NIC to network 
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Modular Connector 


P2 P2 


P1P1 


12345678 
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Multistation Access Unit 


e IBM - passive signal relay (8228) 
e Provides a fault tolerant architecture 
¢ Support 8 workstation ports plus 2 MAU ports 


e Senses power from workstation to activate relays 
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MIE a re one 


4 Ring Out (RO) 
Ring In (RI To another 
MAU 
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= - Workstation Eto 
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Connector 
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Interconnected MAUs 
(with No Backup Path) 
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— — — — Backup path (remains idle during normal operation) 
Primary path 
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Backup Path in Operation 


— — — — Backup path (in operation) | 
——— Primary path Faulty Cable Pulled 
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The Evolution of the 8228 


¢ Since the introduction of the 8228 MAU, many 
manufacturers have implemented products that go 
beyond replacing or enhancing its functionality. 
Improvements to the original design include: 


— Active Ring In and Ring Out ports that can “wrap” themselves 
when a signal loss is detected. 


— Built-in signal repeaters that extend the distance between 
MAUs. 


— Remote software configuration and administration. 
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Data Link Control 


Logical Link Control 


IEEE 802.2 

Data Link 
as Layer 

Media Access Control 

CSMA/CD : Token Bus : Token Ring 

IEEE 802.3 : IEEE 802.4 : IEEE 802.5 
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Data Link Framing 


Logical 
Link 


Control 


Media 
Access 


Control 
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MAC Layer Control 


e 25 different MAC frames 


e The MAC layer allows stations to formally enter 
and leave the ring 


e Reports soft errors — recovery is usually automatic 


¢ Reports hard errors — recovery may require human 
intervention 


e Reports configuration changes 


e MAC frames are handled by the Token Ring 
chipset on the Network Interface Card (NIC) 
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Functional Addresses Used in MAC Frames 


Ring Configuration Ring 
Error Monitor Report Server Parameter Server 


Ring Error Monitor — Collects error information from NICs, active monitor and 
standby monitor(s). 


Configuration Report Server — Stores network configuration, maintains station 
parameters, removes stations from LAN. 


Ring Parameter Server — Assigns operational parameter to stations inserted into ring. 
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Example MAC Frames 


¢ Duplicate Address Test — sent by a station attempting to insert onto the ring 


¢ Active Monitor Present (AMP) — sent by the active monitor every seven seconds to 
indicate its presence 


¢ Standby Monitor Present (SMP) — sent by the standby monitors every seven seconds to 
indicate readiness 


¢ Claim Token — issued by a station attempting to become the active monitor 
¢ Ring Purge — issued by the active monitor to release a new token after error recovery 


¢ Report Soft Error — report an error condition that has temporarily degraded system 
performance 


¢ Beacon — transmitted by any station detecting lost signal or streaming station 
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Station Ring Insertion 


e Internal diagnostic check 

e Lobe wiring check 

e Look for active monitor 

e Check for duplicate address 


e Nearest Active Upstream Neighbor 
(NAUN) notification 


e Request for parameters (such as ring 
number, soft error report timer) 
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Station Ring Removal 


e Station is powered down or physically disconnected 


e The Universal Data Connector MAU port automatically 
shorts leads 


¢ Downstream neighbor detects electrical glitch 


¢ Downstream neighbor reports Stored Upstream Address 
(SUA) change after no transmission from neighbor 
notification process 
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* 
Problem Determination - Soft Errors 
Isolating Errors 


e Line error — invalid character in a frame or token 


Univeraitym 


Check the upstream neighbor of the station generating the error and any cabling 
between the two stations. 


¢ Internal error — The station generating the error had an internal problem. 
¢ Burst error — signaling problem. Check the cabling in the fault domain. 


e AC error — The station generating the error received more than one AMP or SMP 
frame with the address recognized and frame copied bits set to zero, indicating a 
problem with neighbor notification (ring poll). 


Check the upstream neighbor of the station generating the error. 


¢ Abort delimited error — The station generating the error had a problem 
transmitting. 


R sends 
“) Soft Error Report 


(0) 
C |; 


_—_ aa] 
Ce — 


fault domain 


Optional Ring Error 
Monitor 
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Possible Cause of Line and Burst Soft Errors 
¢ Crosstalk 


— Caused by inductive (magnetic field) coupling from one wire to another 
— Common in twisted pair 
— Measured in dB = decibels 


¢ Noise 
— Radio Frequency Interference (RFI) — cable picks up radio/television/data signals 
— Electromagnetic interference (EMI) 
¢ Fluorescent lights 
* ARC welders 
¢ Generators/motors 
¢ Dimmer switches 


— Measured in signal to noise ratio (SNR) watts or milli-watts 
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Problem Determination - Soft Errors 
Non-Isolating Errors 


¢ Lost frame — transmitter failed to receive its own frame back 


¢ Receive congestion — The network card generating this error has 
gotten overloaded. 


¢ FC copied error — Station sees a frame addressed to itself with the 
address recognized bits already set. 


Check for duplicate addresses on ring 
e Frequency error — signal is off frequency. Check the active monitor. 


¢ Token error— The active monitor generates this error when the token 
gets lost. This may just be due to ring reconfiguration. If it occurs 
often, check to see if other soft errors indicate a specific problem. 


im] Soft ee 
z 


Optional Ring Error 
Monitor 
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Beacon 


Transmitted from ring station when a hard error is detected 


Hard error usually requires human intervention 


Continuously transmitted until ring is reestablished 


Beacon frame contains beaconing station address and 
upstream neighbor’s address 


Station 


Upstream Beaconing i 
Neighbor Station 
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Reasons For Beaconing 


e Signal loss error (0x0002 highest priority) 


The most likely problem is a cable break between the NAUN and the source 
station of the Beacon MAC frame. Check the cabling between the two stations to 
find the fault. If it is difficult to check the cabling or there is a need to restore the 
ring quickly, bypass the ring between the two stations. Another possible cause is 
the upstream neighbor entered the ring at the wrong speed. 


e Streaming Signal, not Claim Token (0x0003) 


The upstream neighbor is bit streaming, writing over tokens and frames. The 
problem is most likely either a malfunctioning adapter, or a station that has 
inserted into the ring at the wrong speed. 


e Streaming Signal Claim Token (0x0004 lowest priority) 


The upstream neighbor is continually sending Claim Token frames and monitor 
contention has failed to complete. Check the two stations in the fault domain. 
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Exercise 


Objective: Isolate the fault domain when the ring beacons. 


Background: This was a NetBIOS, Novell environment with the configuration 
below. 8228 MAUs were in use. No backup path was cabled. 


IBM DEC785 IBM EO0B6C 
Patch Cable 


IBM 788514 IBM DEDC89 
400015003001 MEGSRV 


(IBM 7DB919) 
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Exercise 
Continued 
1. Load and display the file C:\CAPTURE\TC105\BEACON2.TRC. 


2. Press F6 (Display options) and turn on DLC Addresses. Press F3 to display the 
data. 


3. Which station is the active monitor at the beginning of this trace? Indicate this on the 
drawing on the previous page. 


4. Using the AMP and SMP frames in the trace, indicate the ring order on the drawing 
by writing numbers by the station addresses - for example. the number | at the active 
monitor, the number 2 at the active monitor's downstream neighbor, etc.. (Don't count 
the Sniffer - it was just sniffing). 


5. In what frame does the ring enter monitor contention? 
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Exercise 
Continued 


6. What does IBM DEC785 do when monitor contention fails? 

7. In frame 87 where is the Fault Domain? Include it in your picture. 

8. Why does IBM DEC785 stop beaconing in frame 888? 

9. When IBM DEC7835 stops beaconing does the ring immediately recover? 
10. Explain what happens in frame 1039. 


11. Does the ring ever recover? 
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Token Ring Frame Format (802.5) 


Starting Access Frame Dest Source Route DSAP SSAP Ctrl Upper Layer FCS Ending Frame 
Delim Ctrl Ctrl Addr Addr Info Info Protocols and Data Delim Status 


joe | foe fe] 6 fem] a fa [af vee fe] or | oo | 


LLC 


Starting Delim: Unique signal pattern identifying frame start; also byte 1 of Token 
Access Control: Identifies whether frame is data or token; byte 2 of Token 


Frame Control: Identifies frame type and, for certain types, the function to be performed 
Dest Addr: 6 bytes; can be individual, multicast, or broadcast 

Source Addr: An individual address of the frame's originator 

Route Info: Optional; used for multi-ring networks 

DSAP: Destination Service Access Point; receiving process at destination 
SSAP: Source Service Access Point: sending process in source 

Control Info: Various control information (2 bytes for connection-oriented LLC) 


ULP and Data: Upper-layer data, up to 4K bytes on 4 Mbps and 18 Kbytes on 16 Mbps 
FCS: CRC error check 

Ending Delim: Unique signal pattern identifying frame end; byte 3 of Token 

Frame Status: Provides feedback to the source about the condition of the frame 
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Frame Formats 
Continued 


Token 


Frame 


SD AC | FC DA 8B8A INFO FCS ED FS 
CRC Protected 
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University 


AC/FC 


Pere Teer Control 


Priorit 
Reservation 
Monitor Count 


Token Indicator 0O=token 


Frame Control 


| Frame Type | 


00 MAC Physical Control Field Attention Code 

01 LLC 0001 Express Buffer 0100 Ring Purge 
0010 Beacon 0101 Active Monitor Present 
0011 Claim Token 0110 Standby Monitor Present 
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Frame Status 
BIT 0 1 


Ethernet and Token Ring Network Analysis & Troubleshootings 6/94 Rev. 4.4T 


Error Detected 
1 =Error CRC/ Code Violation 
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Token Ring Destination Address 


Group (1) / Specific (0) 
Locally Administered (1) 


Functional (0) / Non Functional (1) 


i BYTEO BYTE 1 ; BYTE2 BYTE 3 BYTE4 BYTE5 


aaa | ae: | [Ra 2 [RR | aera [| | 


C000 FFFF FFFF Broadcast 

FFFF FFFF FFFF Broadcast 

C000 0000 0001 Active Monitor (Destination) 
C000 0000 0002 Ring Parameter Server 

C000 0000 0008 Ring Error Monitor 

C000 0000 0010 Configuration Server 

C000 0000 0080 NetBIOS 

C000 0000 0100 Bridge 

C000 0000 2000 LAN Manager 
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Token Ring Capture Range 


Sniffer Analyzer Capture Range 


The Sniffer Analyzer captures all fields except: 
¢ Start/end delimiters 
¢ Frame check sequence 


¢ Frame Status (The Sniffer Analyzer does report the values 
of address recognized and frame copied bits in the Frame 
Status field, but does not capture them.) 


¢ The Sniffer Analyzer does not capture free tokens. 
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Using the Sniffer Analyzer 
in a Token Ring Environment 


e Use the software switch to change capture speed (4 or 16 Mbps) 
on all portable Sniffer platforms (Dolch, Toshiba, Compaq, 
desktop NCR Sniffer and IBM PS/2 P70.) 


¢ On Dolch, Toshiba, Compaq and desktop NCR Sniffer 
platforms, use the hardware switch to change traffic generation 
speed. Use the software switch to change traffic generation 
speed on laptops using the PCMCIA cards and the IBM PS/2 
Model P70. 


¢ On DSS Sniffer Servers, use the hardware switch for capture 
and traffic generation speed. 
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Exercise 


Objectives: Gain a better understanding of the Token Ring frame format by 
looking at Active Monitor Present and Standby Monitor Present 
frames. 


Practice using Sniffer Pattern Match Capture Filters. 


Save room in your Capture Buffer by filtering 
out all Active Monitor Present and Standby 
Monitor Present Media Access Control frames. 


1. Capture from the file C:\CAPTURE\TC105\BEACON2.TRC 


From the Capture menu, move to the right and down and specify capture From the 
file. (DO NOT just load the file.) Press the F10 key to do the capture. 


2. Display the data. Press F6 (Display options) and enable Summary, Detail and 
Hex windows. Find an Active Monitor Present frame. Highlight on Active Monitor 
Present in the Detail window. Press F5 and move up to Capture filters. 
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Exercise 
Continued 


3. Set the protocol filter up so that only MAC frames will be captured. 


4. Use the "copy and paste" feature under Pattern match to enter the HEX 
for Active Monitor Present in the first Pattern of Match 1. Also use the 
"copy and paste" feature to enter the Offset. Choose Don't match. 
Recapture. 


5. Repeat the process to filter out all Standby Monitor Present frames as well 
as Active Monitor Present frames. Recapture the data. How many frames 
are accepted? 
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Source Route 


Bridging 
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Bridging Definitions 


¢ Source routing — a bridging mechanism where the source 
end-station specifies how a frame should traverse a multi-LAN 
network. 


e Spanning tree — a topology of bridges such that there is one and 
only one data route between any two end-stations. 


¢ Transparent bridging — a bridging mechanism that is 
transparent to end-stations, where bridges send Bridge Protocol 
Data Unit (BPDU) frames to each other to establish and maintain 
a spanning tree topology. 


¢ Source Routing Transparent (SRT) bridge — a bridge that 
provides both source routing and transparent bridging. 


¢ Explorer frame — a frame used to discover the route to a remote 
node. An SRT bridge adds routing information to the frame as it 
forwards the frame. 
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Source Routing Example: 
All Routes Broadcast 
Non-broadcast return 


Node 1 generates an All Routes Broadcast 
in search of Node 2 


Yi,:«SCé«‘éiBidgel1 «= ae Wl Bridge 3 lll 
Bridge 2 Bridge 4 | 


ZZ Wh. UZ Wt, 


yw 
ey ro (4) 
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Source Routing Example: 
Single Route Broadcast 
All Routes Return 


Node 1 generates a Single Route Broadcast in search of Node 2. 
These broadcasts only pass through selected bridges. 


4 Bridge 1 


Wa ZZ 


All Bridge2 |IZ7777 
Bridge 4 Wit, 


Witiiitn, 


Y 
MMM 


Ch 
WZZLAN| Bridge 3 


Y 
UMMM, 


Wa 
Wht, 
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IBM Token Ring Bridge 
Configuration Options 


e Manual Mode 


— Bridges can be manually configured to support 
Single Route Broadcasts. 


— Bridges will only forward frames that contain 
source routing information. 


— If a bridge goes down, and is configured to pass 
Single Route Broadcasts, human intervention is 
required to reconfigure the network. 


— IBM bridges operating in the Manual Mode do not 
use the Spanning Tree Algorithm. 
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IBM Token Ring Bridge 
Configuration Options 


e Automatic Mode 


— The Spanning Tree Algorithm will be used to 
determine which bridges will forward Single Route 
Broadcasts. 


— With two bridges in parallel, if one bridge fails, the 
other will forward Single Route Broadcasts 
automatically. 
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Source Routing Transparent Bridges 


e Specified in Appendix C of IEEE 802.1d 


e An SRT bridge performs source routing when frames are 
received with routing information (RHU=1) and performs 
transparent bridging when frames are received without 
routing information (RII=0). 


e Will be used by FDDI as well as Token Ring 


e When a station sends an explorer frame to find a remote 
station, it can specify a Spanning Tree Explorer frame. 


e When redundant bridges exists, they will use the 
Spanning Tree Algorithm to determine which bridges 
should forward Spanning Tree Explorer frames. 
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Routing Information Indicator (RIT) 


— Routing Information Indicator 


Starting Access Frame Dest Source _—_ Routing LLC Upper Layer FCS Ending Frame 
Delim Cont Cont Addr Addr Information Protocols and Data Delim Status 


ime fo ff 6 | 6 | 20 | 3 | vane [os] fo 


¢ The Routing Information Indicator is bit 0 of the first byte of the Source 
Address. It is the first bit of that byte transmitted. 


¢ The Source node sets the RII bit when it inserts routing information in a 
frame. 


¢ Ifthe RII bit is 1 then routing information is present. 


¢ Ifthe RII bit is 0 then no routing information is present. 


¢ The routing information is used by bridges to make a decision how to 
forward the frame. 
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University 


Routing Information Field 


Routing Control Routing Designator Routing Designator 


e Sent by source station 


¢ IBM specifies that seven bridges may be traversed 
e IEEE specifies that thirteen bridges may be traversed 


e Routing information is on every inter-ring frame 
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Routing Control 


Largest Frame —> 000 


Direction 001 

RI Length 2-30 oe 

011 

Route Type OXX_ Specific (Non- Broadcast) 100 
10X All Routes Explorer ( All routes broadcast ) 101 


11X Spanning Tree Explorer (Single route Broadcast ) 110 


111 
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Reserved 


Extension to Largest Frame 


516 

1470 

2052 

4399 

8130 

11407 

17749 

41600 —- 65535 
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Route Type 


¢ (0XX-— Specific (non-broadcast) 


The bridges route the frame using the Route Designator (RD) fields in the routing 
information. The source node uses the RDs to specify which rings and bridges the 
frame should go through. 


¢ 10X-— All Routes Explorer (All routes broadcast, non broadcast return) 


Used to find a station. The source node does not supply any routing information. All 
bridges forward the frame and add to the frame their bridge number and the ring 
number onto which the frame is forwarded. (The first bridge also puts in the ring 
number of the first ring.) The receiving station usually returns a specifically routed 
non-broadcast frame, (though the IEEE 802.1d specification does not require this.) 


¢ 11X- Spanning Tree Explorer (Single route broadcast) 


Used to find a station. The source node does not supply any routing information. Only 
bridges in the spanning tree forward the frame. 


Though not required by the IEEE 802.1d specification, historically two types of STE 
frames exist: 


110 — Single-route broadcast, all routes broadcast return 


111 - Single-route broadcast, non broadcast return 
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Routing Designator 


Ring Number 


Bridge Number 


The last Bridge Number in the RI = 0 
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Capturing in a Bridged Environment 


The Sniffer will: 


— see frames going between Nodes 
A, B and C. 


— see traffic bridged between the 
two networks. 


— not see frames going between 
Nodes D, E and F. 


At the Token Ring data link layer, the 
source and destination addresses will be 
the end node’s addresses. You will not 
see the bridge’s addresses. 


If Node D communicates with Node A, the 
Sniffer can analyze the session. The Token 
Ring addresses will be Node D’s and Node 
A’s. 
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Capturing in a Routed Environment 


The Sniffer will: 
— see all traffic on Network 201 
between Nodes A, B and C 
— All traffic to and from Network 
201 and Network 200 


— notsee the traffic on Network 
200 between nodes D, E and F 


At the data link layer, the source and 
destination Token Ring addresses will 
be the node and the router. 


At the network layer, the source and 
destination addresses will be the 
nodes’ network layer addresses. 


Example: 


If Node D communicates with Node A, the Sniffer sees the 
Token Ring addresses of the router and Node A. 


At the network layer, the Sniffer sees the network layer addresses 
of Node D and Node A. (i.e. IP, XNS, or AppleTalk addresses) 
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Exercise 1 


Objective: Identify proper source routing behavior : 


Background: A NetBIOS workstation ( BORIS851<00> ) is attempting to 
discover what resources are available on the network. 


1. Load and display C:\CAPTURE\TC105\ALLROUTES.TRC. 


2. Turn the Expert display option off and set up a display filter to focus only 
on the source routing protocol. Return to the summary window. 


3. What ring is BORIS851<00> on? 
What ring is KREMLIN1 on? 
What ring is the Sniffer on? 
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Continued 


4. In frame 1 what type of broadcast is used by BORIS851<00> to locate 
KREMLIN1? What is the destination address? How does 
BORIS851 want KREMLIN1 to respond? 


5. In frame 2 what is the destination address? What kind of response is 
sent by KREMLIN1? 


6. How many responses do we see from KREMLIN1? How many 
packets did KREMLIN1 send 1? 


7. How many possible paths could BORIS85 1<00> use to communicate to 
KREMLIN1? 


8. What kind of bridge is used between rings 101 and 00E? 
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Exercise 2 


Objective: Investigate non-efficient source routing behavior. Use the last page of this 
exercise to draw a picture of the multi-ring network from which this trace 
was taken. 


Background: Stations in this trace are using the Server Message Block (SMB) protocol 
at the application layer. SMB runs on top of NetBIOS at the session layer. 


Hint: There are two distinct bridges with the bridge number 2 in this trace. This 
is not a problem. One Bridge 2 connects Rings A22 and 064. The other 
Bridge 2 connects Rings 064 and B15. 


1. Load and display C:\CAPTURE\TC105\RINGS.TRC. 


2. In frame 1, PCJAW0OO0 tries to find BFSRVR by sending a NetBIOS “Find name” 
request to the multicast address for all NetBIOS stations. Does BFSRVR respond? 


3. What ring is PCJAWO0 on? 
What ring is BFSRVR on? 
What ring is the Sniffer on? 


C) 
Network 
General 


Ethernet and Token Ring Network Analysis & Troubleshootings 6/94 Rev. 4.4T 


171 


© Copyright 1990 - 1994 Network General Corporation. All rights reserved. 


Exercise 2 
Continued 


4. After finding BFSRVR, PCJAWO00 initializes the NetBIOS session in frame 7, and then 
negotiates the protocol level to be used at the SMB layer in frame 11. These frames 
indicate PCJAW00 has successfully established the session with BFSRVR. 


Why do we see another NetBIOS “Find name” request in frame 12? (Hint: look at the 
Routing Information.) 


5. Do you think the bridges in this network understand the Spanning Tree Algorithm? 


Continue on the next page. 
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Exercise 2 
Continued 


6. Using the Routing Information data from the frames in this trace, draw a picture of the 
this multi-ring network. 
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Logical Link Control 


Network 


General 
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Logical Link Control 


e JEEE 802.2 

¢ Point to point data integrity 

¢ Flow control 

e Link maintenance 

¢ Service access point addressing 


e Connection oriented or 
connectionless services 


* Functions independently of MAC 
layer 
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802.X Header 
<i ———____——- ----_- —__________—-f- 


= — i ABS 


MAC Sublayer LLC Sublayer 
DSAP: (1 byte) Destination Service Access Point; receiving process at destination 
SSAP: (1 byte) Source Service Access Point; sending process in source 
Control: (1 byte) Various control information (2 bytes for connection-oriented LLC) 
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SNAP Header Format 


e Subnetwork Access Protocol (SNAP) provides a standard way of 
encapsulating upper layer protocols on IEEE 802 networks. 


Organization/ 


802.X Header Vendor Code 
(optional) 


I+ MN |) 
MAC Sublayer LLC Sublayer SNAP 


Organization Code: (3 bytes) Identifies the vendor or manufacturer - same as vendor code 
in Mac layer address. 


Type: (2 bytes) Identifies the upper layer protocol - same as EtherType for 
protocols that came from the Ethernet environment. 
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Type 1 
Connectionless Services 
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Type 2 
Connection Oriented Service 


Session Setup ——_» 


Sequenced Data Messages 


= Le] 


Disconnect —<— 


= ACK 
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LLC Frame Types 


e Unnumbered frames: 
— Establish link connections/disconnections 
— Provide link maintenance and error recovery 
— Provide connectionless (datagram) support 


e Supervisory frame: 
— Acknowledges frames received 
— Requests retransmission of frame(s) 
— Provides flow control 


¢ Information frames: 
— Transports user data and higher layer protocols 
— Increments sequence numbers 
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Set Asynchronous Balanced 


Mode Extended 


Unnumbered Acknowledgement 


Disconnect 

Disconnect Mode 
Frame Reject 
Exchange Identification 
Test 


Unnumbered Information 
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Command 
Response 
Command 
Response 
Response 
Either 
Either 


Either 


Connection 
Oriented 


Connection 
Oriented 


Connection 
Oriented 


Connection 
Oriented 


Connection 
Oriented 


Connection or 
Connectionless 


Connection or 
Connectionless 


Connection or 
Connectionless 
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LLC Supervisory Frames 


(Connection oriented only) 


RR Receive Ready Command/Response 
RNR Receive Not Ready Command/Response 
REJ Reject Command/Response 


LLC Information Frame 


(Connection oriented only) 


I Information Command/Response 
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LLC Service Access Points (SAP) 


BPDU 42 Bridge Protocol Data Units 
Banyan BC Banyan VINES 

IBM_NM F4 IBM Network Management 

IP 06 Internet Protocol 

ISO FE International Standards Organization 
NetBIOS FO Network Basic I/O System 
Novell EO Novell (NetWare) 

SNA 04, 05, 08,0C Systems Network Architecture 
SNAP AA SubNetwork Access Protocol 
Global FF Broadcast 

Null 00 IBM SAP Negotiation 
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Common LLC Problems 


¢ Connection reset 

¢ Unsupported LLC frame types 

¢ Flow control lockup 

e Frame sequence retransmission 

e Excessive length information field 
e Expired timers 


¢ Expired counters 
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Decoding LLC Connection-Oriented Frames 


From Workstation LLC C D=FO S=FO RR NR=0 P 
Cc Command 

D=FO Destination Service Access Point = FO (NetBIOS) 
S=FO — Source Service Access Point = FO (NetBIOS) 

RR Receive Ready 

NR=0 Frame Number Workstation expects to receive is 0 


P Poll bit is on; Workstation expects a response from Server 


From Workstation LLC C D=FO S=FO I NR=0 NS=0 
Cc Command 

D=FO __ Destination Service Access Point = FO (NetBIOS) 
S=FO Source Service Access Point = FO (NetBIOS) 

I Information frame; higher layer data is included 
NR=0 Workstation is still expecting to receive frame 0 next 
NS=0 Workstation is sending frame number 0 
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From Server LLC R D=FO S=FO RR NR=0 F 


R 
D=FO 
S=FO 
RR 
NR=0 
F 


Response 

Destination Service Access Point = FO (NetBIOS) 
Source Service Access Point = FO (NetBIOS) 
Receive Ready 

Frame Number Server expects to receive is 0 
Final bit is on; Response to Workstation's Poll 


From Server LLC R D=FO S=FO I NR=1 NS=0 P 


R 
D=FO 
S=FO 
I 
NR=1 
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Response 

Destination Service Access Point = FO (NetBIOS) 

Source Service Access Point = FO (NetBIOS) 
Information frame; higher layer data is included 

Server expects to receive frame number | next 

Server is sending frame number 0 

Poll bit is on; Server expects a response from Workstation 
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Exercise 


Objective: Tracking an LLC session setup 


Procedures: 1. Load Trace File CAPTURE\TC105\APPC.TRC 

2. In summary display, locate the first LLC TEST Frame. 

3. Set the mark at this point and change time to Relative. 

4. Follow the session building process until the LLC Disconnect mode. 


Questions: 
1. What was the time duration of the first session? 

2. Does APPC use connection oriented or connectionless services? 
3. Set up a protocol filter to display only LLC frames. 


4. In the first session we see in this trace, what was the LLC send sequence number (NS) 
of the last information frame station 400000000002 sent? 
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LAN Manager 
Old Server — 


LAN Manager 
New Server 


eerercere 


Users connected to the new server CWF3 are experiencing slow response times, -_ 
disconnections (“Network drive not available”), and failure to make new connections. on 
Intermittent problems occur regardless of what applications the users are running. 


mo 


Users connected to the Old Server are not having any serious problems. - 
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Exercise Two 


Continued 
Ob j ective: Troubleshoot a problem in an LLC, NetBIOS, Microsoft LAN 
Manager environment. 
Background: The network administrator already ruled out MAC layer 
problems. Though the network is very busy and the bridges 


report some dropped packets due to periodic congestion, the 
errors have not increased since the last baseline analysis. 


Current Setup: At this point in time, the network administrator has put a Sniffer 
on the ring and captured data between the user DGARCIAS and 
the server CWF3. The network administrator has called you in to 
help troubleshoot the problem... 
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Exercise Two 
Continued 
1. Load and display C:\CAPTURE\TC105\LLCPROB2.TRC. 


2. Turn All layers on and turn Two-station format on. 


3. Follow the session building process at the beginning of the trace. In which frame does 
DGARCIAS send its first sequenced frame? (NS=0.) 


4. Study about 10 more frames to watch the patterns of NR and NS from each station. 
Study the Poll and Final bits as well. Does CWF3 always send the frame that 
DGARCIAS is expecting? 


5. Go to frame 965. In frame 965 at the Server Message Block (SMB) application layer, 
DGARCIAS requests 3063 bytes. At the LLC layer, what sequenced frame does 
DGARCIAS expect next? 
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Exercise Two 


Continued 


6. Look at frame 966. At the NetBIOS session layer this is a data ACK for frame 965. 
At the LLC layer, does CWF3 send the sequence number DGARCIAS expected? 


7. Frame 967 is an LLC Receive Ready from DGARCIAS. At this point, what 
number does DGARCIAS expect to receive next? 


8. What is strange about frame 968 from CWF3? 
9. What is DGARCIAS’s reaction to frame 968? 


10. In frame 970, CWF3 waits one second and then sends a Receive Ready with the 
Poll bit set. DGARCIAS responds and re-specifies the frame number he is still 
expecting to receive. Does CWF3 send the frame DGARCIAS is expecting? 
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11. CWF3 starts sending Receive Readies with the Poll bit set. Does DGARCIAS 


respond? 


12. In what frame does CWF3 give up on this connection and send a DISC? 


13. In what frame does DGARCIAS try to re-establish the LLC connection? 


14. Study frame 1007. Now go to frame 1008. In frame 1008, CWF3 sends 
sequence 6, when he should have sent sequence 5. Study frames 1007-1017. 
Does this error follow the same sequence that the previous error did? 


15. Now that you’ve studied the problem, what would be your next step to resolve the 
problem? 
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Internet Protocol Suite 


Developed out of the ARPANET project 


Actually many different protocols 


Transmission control protocol (TCP) 
Internet protocol (IP) 

User datagram protocol (UDP) 
Routing information protocol (RIP) 


Application layer protocols - File Transfer Protocol (FTP), 
Telnet, Simple Mail Transfer Protocol (SMTP), and 
Simple Network Management Protocol (SNMP) 
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ae 
What Does IP Do? 


e Best effort delivery of frames across an internet 


e IP does not provide flow control or error 
control; higher layers must handle this 


e IP Gateways (routers) route frames from one 
network to another 


e IP fragments and re-assembles frames for 
traversal across networks that require small 
frames - 1.e. ARCNET or LocalTalk 
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e 
IP Addressing: 
® 
Address Classes 
Many Hosts Some Hosts Few Hosts 
(24 Bits) (16 Bits) (8 Bits) 
Few 
Networks 
(7 Bits) 
High order bit = 0 
High-order bit(s) indicate 
Some how many bits of “Network 
Networks Address” information are 
(14 Bits) present 
Many 
Networks 
(21 Bits) 


High order bit = 1,1,0 


Typical Class A Address (0-127): TO 
Typical Class B Address (128-191): 128.203.3517 
Typical Class C Address (192-223): 192.1.2.10 


} 


J 


} 


) 


Source: Davidson, “An Introduction to TCP/AP” 
The Network Information Center reserves numbers 0.x.x.x, 127.x.x.x, 128.0.x.x, 191.255.x.x, 192.0.0.x, 223.255.255.x, and 224.0.0.0 - 255.255.255.249 
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IP Addressing: 


Subnetting 


X Bits Y Bits 


Network Address Host Address 


X Bits Z Bits Y-Z Bits 


Subnet Host 
Network Address Address Address 


e Used to differentiate LANs in the same campus. 


e Particularly useful when LANs are: 
-— Different technologies 
- Too far apart 
- Congested 
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Subnetting in a Class B Network 


Rest of the 
network 


‘ all traffic to 


128.10.0.0 
Subnet 128.10.1.0 
Host Host 
128 10.1. 
Subnet 128.10.2.0 


Host Host 
128.10.2.1 128.10.2.2 
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Subnet Address Masks 


¢ Used to identify which bits of the local address 
field indicate the subnet number. 


Network 


SSSR RSS SOeSStES SILOS SIERO ESSE CEES SEES 


Logical “And” x Byte 1 —>|+«— Byte 2 —>|«— Byte 3 —»|< Byte 4 —r| 


Operation 


Mask 255 ; 255 ‘ 255 ‘ 0 
(in IP format) 
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Address Resolution Protocol (ARP) 


Station A 


Broadcast: 
Station B, where 
are you? I know 
your IP address; 
what's your 
hardware address? 


Point to Point: 
My hardware 
address is 
XXXXXX 


Station B 


¢ Each station maintains an Address Resolution Cache of recently acquired 
Physical/Internet Address Mappings. 
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What Does TCP Do? 


e Reliable frame delivery 


e Efficient flow control 


e Multiplexing (conversations and connections) 


e Error control (checksum) 
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TCP Functionality: Reliable Delivery 


* Positive Acknowledgement with Retransmission (PAR) 
Host A Host B 


* Sliding Window Permits Host to Send Multiple Frames before Expecting an ACK 
Host A Host B 


16587 


16787 


16987 
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What Does UDP Do? 


¢ Best effort delivery 

¢ No Ack’s 

e Connectionless (no session established) 
e Datagram oriented 


e Error control (optional in UDP, uses 16 bit checksum) 
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Application-Layer Protocols 
File Transfer Protocol (FTP) 


— reliable client/server protocol for transferring files 


Trivial File Transfer Protocol (TFTP) 


— simpler file transfer protocol, easier to implement than FTP but not as reliable 


Telnet 


— provides remote terminal connection service; passes keystrokes from the user's 
terminal to a remote host machine 


Simple Network Management Protocol (SNMP) 


— provides network management of a TCP/IP internet 


Simple Mail Transfer Protocol (SMTP) 


— electronic mail protocol; specifies how mail systems interact and a simple format 
for messages 


Network File System (NFS) 


— developed by SUN Microsystems but now runs on many machines; allows 
cooperating computers access to each other’s file systems 
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TELNET Processes 


i 


Terminal Handler Host Process 
User TELNET Server TELNET 


TCP/IP TCP/IP 
Network Interface Network Interface 


Network Virtual Terminal Host Terminal-Oriented Process 


Telnet issues: Which machine will provide the echo? 
Does the Telnet implementation always send one character per frame? 
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Remote UNIX Commands 


Provides Information on Remote Hosts. 


A terminal emulation protocol, similar to Telnet. 


A protocol allowing execution of commands on 


a Remote Host. 


A protocol allowing the remote reporting of 
statistics. 


A remote copy protocol, similar to FTP. 
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RWHO 


(Remote Who) 


(Updates database) 


(Updates database) 


e Provides information about remote hosts. 
¢ A Host running RWHO broadcasts an RWHO 
frame once a minute. 


O 
Network 
Ethernet and Token Ring Network Analysis & Troubleshootings 6/94 Rev. 4.4T General 


207 


‘ ‘ ‘ © Copyright 1990 - 1994 Network General Corporation. All rights reserved. 
Swiffer University "Ee 


@ 
Exercise One (Ethernet) 


Objective: Determine the cause of a Broadcast storm. 


Background: Some hosts interpret an IP destination address with zeros in the host part 
of the address as a Broadcast to that network (or subnet.) For others, the 
host part of the address must be all ones to be a Broadcast address. 


1. Load and display the trace file: C:\CAPTURE\TC102\BCAST.ENC. 

2. What is the DLC destination address in frame 1? 

3. What is the IP destination address in frame 1? 

4. How does host 128.18.4.2 (joyce) seem to be interpreting the IP address 128.18.4.0? 
5. What is happening in frames 2-113? 


6. What configuration changes can you make to avoid broadcast storms like this one? 


O 
Network 
Ethernet and Token Ring Network Analysis & Troubleshootings 6/94 Rev. 4.4T General 


p39 


. . . © Copyright 1990 - 1994 Network General Corporation. All rights reserved. 
Sriffer University 


s 
Exercise Two (Ethernet) 


CISCO 007727 
36.53.0.1 


Where is station 36.53.2.3 located? 


080032220C40 a || 
36.53.0.174 -seoncamena 


OBJECTIVE: Use various display features to debug an IP configuration problem. 


BACKGROUND: CISCO 007727 is configured as an IP router. IP stations send frames 
to the CISCO router when they need to reach destinations on other subnetworks. If a 
station erroneously sends a frame to the CISCO router, the router uses the Internet 
Control Message Protocol (ICMP) to tell the station to redirect these frames in the 
future. The CISCO router then tries to route the frame anyway. 


1. Load the trace file C:\CAPTURE\TC102\ROUTER.ENC. In the Expert Overview 
window, arrow down to the Connections layer and press Enter on the Diagnoses 
column. What is the diagnosis for the connection between 36.53.2.3 and 
36.53.0.174? 
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Exercise Two (continued) 


. Arrow down to the connection between 36.53.2.3 and 36.53.0.174 and press F1 to 
explain. Arrow down to the drawing to get some clues to explain the situation. 
Then press Escape and F3 to display the data so you can get more clues. 


. Turn on the Summary and Detail windows. Turn All layers and DLC addresses 
on. 


. Display the data. What protocols run beneath ICMP? 


. Goto frame 1912. 


. Looking at frame 1912 in the Summary window, fill in the blanks below: 
DLC source = IP source = 


DLC destination = IP destination = 
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Exercise Two (continued) j 


7. Arrow down to frame 1913 (ICMP Redirect). Tab into the Detail window and use 
F4 to zoom in. When a router sends an ICMP redirect, it follows the ICMP header 
with the original IP header of the frame that caused the redirect. Do you see the 
layers in this order - DLC Header, IP Header, ICMP Header, IP Header, ICMP? 


8. Use the Two viewports feature to determine that frame 1913 is a redirect for frame 
1912. (Compare the IP header that follows the ICMP header in frame 1913 to the IP 
header in frame 1912. Everything but the Time to Live and Checksum should match.) 


9. Zoom into the Summary window. After sending an ICMP redirect, a router will then 
try to forward the frame anyway. Did the Sniffer see the CISCO router try to forward 
the frame from 36.53.0.174 to 36.53.2.3? If the answer is yes, what does this tell us 
about the location of station 36.53.2.3? 
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Exercise (Token Ring) 


Objective: Investigate Telnet inefficiency. 


Background: A user is logged onto a remote host computer. The user is reporting 
slow response times when using a statistical analysis package. 


1. Load and display trace file C:\CAPTURE\TC105\TCPIP.TRC. 


2. Set up a Station address filter to only look at traffic between 
36.53.0.195 and 36.56.0.208. 


3. How much time does it take for the user to type in S(B,A), S(C,B) 
and see it displayed (echoed) onto his screen? 


4. Is the time elapsed caused mostly by a slow implementation at the 
workstation (36.53.0.195), a slow implementation at the host 
(36.56.0.208), or the user being a slow typist? 
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NetWare Time Line 


‘80. “83 *84 ‘85 ‘86 87 ‘89 91 "92 *93 “Od 


NetWare 4.x, 


a pla i aaa NetWare 386 NetWare 3.12 
Meetings for Motorola 6800 with support LIPX. NLM 
Bape with support | NetWare 1.0 NetWare 2.1x for IEEE 802.3 
for RS-422 for AT frames 
and ARCNET 
TEEE NetWare 3.11, 
802.3 Std PBURST.NLM, NetWare TCP/IP 
TCP/IP, Transport Stack, 
OSI TEEE NES LSP Routing 
Model 802.2 LLC 


Std 
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OSI-NetWare Relationship 


Application 


Presentation 


OSI 


Transport 


Physical 
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CLIENT SERVER 


Novell NetBIOS, 
Shell 
DOS Requester 
or 3rd Party 
Applications 


The ‘No Name’ 
Transport Layer 


MLID-ODI 


All physical layers supported 


Novell Netware 3 
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Novell NetWare 


¢ Network operating system 


¢ DOS shell, DOS requester, OS/2 
requester on workstation 


¢ Over 100 NICs supported, support for 
many disk subsystems 


¢ Multiple APIs supported 


e Support for PCs, Macintoshes, OS/2, 
UNIX, minicomputers, etc. 


e Server software, workstation software, 
router software, gateway software 
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Changes in the Client Environment 


¢ DOS Requester, standard in 4.x, option in 3.12 
- replaces the shell of previous versions 
- uses a Set of files with the .VLM extension 
to support the client tasks like I/O and printing 
- VLM.EXE loads the required modules 
- directs requests to DOS or the network 


¢ ODI drivers replace IPX.COM 
¢ Multiple frame types supported 


e Windows support included 
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Compatibility Issues 


¢ Novell Proprietary Ethernet Frame Type created 
problems in mixed LAN environments 


¢ 3.12 and 4.x Versions now use IEEE compliant 
Ethernet 802.3 frames with LLC header 
(Novell calls this Ethernet_802.2) 


¢ Switch all current Novell LANs to one frame type 
e SAP and RIP traffic on LANs create broadcast traffic 


Configure the interval of the broadcasts on the 3.12 
or 4.x servers and Novell’s multiprotocol routers. 


O 
Network 
Ethernet and Token Ring Network Analysis & Troubleshootings 6/94 Rev. 4.4T Novell Netware 6 General 


218 


. ’ ‘ © Copyright 1990 - 1994 Network General Corporation. All rights reserved. 
Swiffer Universityn on “ah e 


NetWare Frames 


Novell Proprietary (Novell Ethernet_802.3 or 802.3 raw) 
default for NetWare 2.x and pre-3.12 servers, DOS clients 


Destination Source Length Data FCS 


802.3 (Novell Ethernet_802.2) 
default for NetWare 4.x and 3.12 servers and ODI clients 


Destination Source 
ae Service Service 
Destination Source Length Access Point Access Point Control Data FCS 
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NetWare Frames 


Ethernet Version 2 (Novell Ethernet_II) 
(used by many TCP/IP clients) 


Destination Source EtherType Data 


FCS 
2 bytes = 8137 FFFF and variable data 


802.3 SNAP (Novell Ethernet SNAP) 
(used by AppleTalk clients) 


Destination Source 
Service Service 
Destination Source Length Access Point Access Point Control SNAP Data 
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Token Ring Frame Types 


Standard IEEE 802.5 Token Ring Frame 


Destination Source 
Service Service 
Destination Source Access Point Access Point Control Data FCS ED FS 


es 
Standard IEEE 802.5 SNAP Token Ring Frame 


Destination Source DSAP_ SSAP_ Control Data FCS ED FS 
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To Configure Frame Types in NetWare 


e File Server Configuration (3.x and 4.x) 
— LOAD driver with frame=Ethernet_xxxx statement added 
— BIND frame type to interface card giving the network number for frame type 
— Include LOAD and BIND statements for each frame type 
— Be sure all parameters are in the AUTOEXEC.NCF file 


e Workstation Configuration 
— Change parameters in NET.CFG or command line for ODI drivers 
— Link Driver=Driver Name 
— Frame Ethernet 802.2 
— Run ‘ECONFIG’ program on IPX.COM when built for a specific vendor’s device 
driver to change from “Raw Ethernet” to version II. 
¢ The client workstation frame type must match the file server 
frame type 
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IPX/SPX 


¢ Developed by Novell for NetWare communications 


¢ Designed after Xerox’s XNS protocols 


¢ Supports transport and network layers 


IPX provides a datagram service 
- The majority of communications use only IPX 


SPX provides a connection-oriented service 
- Print servers, RCONSOLE and third party applications 
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IPX Header 


Checksum (always FFFF) 
Length 

Transport Control 

Packet Type 

Destination Network 
Destination Node 
Destination Socket 
Source Network 

Source Node 

Source Socket 
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(2 Octets) 
(2 Octets) 
(1 Octet) 

(1 Octet) 

(4 Octets) 
(6 Octets) 
(2 Octets) 
(4 Octets) 
(6 Octets) 
(2 Octets) 
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NCP Information Field 
(follows IPX header when used) 


Request Type (2 Octets) 2222=request; 3333= reply 


Sequence # (1 Octet) Matches requests and replies 


Connection # (1 Octet) Distinguishes a connection when 
multiple connections are open 
between server and workstation 


Task # (1 Octet) Distinguishes operations while 
connection is open 
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SPX Header 


Ethernet and Token Ring Network Analysis & Troubleshoo! 


Connection Control 

Data Stream Type 

Source Connection ID 
Destination Connection ID 
Sequence Number 
Acknowledge Number 
Allocation Number 
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(1 Octet) 

(1 Octet) 

(2 Octets) 
(2 Octets) 
(2 Octets) 
(2 Octets) 
(2 Octets) 
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Novell Routing Information Protocol (RIP) 
¢ An IPX router broadcasts its routing table every 60 seconds using RIP 


¢ Novell’s RIP was derived from XNS but enhanced to include information on how much 
time it takes to reach a network, called the “number of ticks” (about an 18th of a second). 
The ticks field can be used by workstations for selecting routes and for estimating receive 
time-out values. The maximum hop count is 15. 


RIP Packet Format 
Operation 2 bytes 
Network Number 4 bytes 
Number of Hops to that network 2 bytes 
Number of Ticks to that network 2 bytes 
Network Number 4 bytes 
Number of Hops to that network 2 bytes 
Number of Ticks to that network 2 bytes 
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Novell Service Advertising Protocol (SAP) 


e File servers, print servers, gateways, etc. use SAP to advertise 
their services and addresses when they are first brought up 


e IPX routers keep a table called the Server Information Table 
based on SAP traffic 


¢ Every 60 seconds the SAP agent in an IPX router broadcasts 
information regarding the services it knows about 


¢ Workstations use SAP to find services 
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Configuring RIP and SAP 


e At the 4.x File Server, load SERVMAN 
- Select IPX/SPX Configuration, then SAP 
filtering to configure SAP advertising 
- Configure RIP to broadcast only updates 


e At the 3.x File Server, use the NetWare 
Service Advertising Restrictor (NSAR) 
by loading RESTRICT.NLM to configure 
the SAP advertising 


¢ Caveat: Reducing this traffic will impact the 
time required to update tables 
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Packet Burst Enhancement 
Allows up to 64KB transfer per request 


Set up at connection/login time 
Active for duration of attachment 


DOS requester/ shell negotiates number of 
frames in burst based on network traffic 
and buffer available-adaptive windowing 


Enabled automatically in NetWare 4.x and 3.12 
servers and clients using the VLMs. 


Load PBURST.NLM on 3.11 servers 


Use BNETX at 3.11 clients 
Add PB Buffers = n to NET.CFG 


Novell Netware 18 
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Large Internet Packets (LIPX) 


e Overrides the 512 byte default max for routed packets 


— Token Ring (4 and 16 MBPS) 4202 bytes 
— Ethernet 1130 bytes 
— ARCNET 576 bytes 


¢ Must configure at File Servers, Workstations and 
NetWare Routers 


e Packets exchanged will be the smallest frame size of 
any of the devices in the path 
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NetWare Core Protocol (NCP) Functions 


¢ Connection establishment and task implementation 

e File access - i.e. open, close, read, write, create, delete, retrieve 
directory listings 
Maps file handles (identifiers) to files and directories 

¢ Security - verifies passwords, access privileges, file attributes 


¢ Lock Manager allows programs to lock files and/or records 


e Print services, including general purpose queuing methodology 
that can be used for non-printing tasks 


¢ Accounting services to charge a user’s account for resources used 


¢ Auditing (4.x) 
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Configurable Traffic 


e Optimize file transfer frame sizes 


e Inefficient file searching 
— Specify complete path and file name in batch and menu files 


— Compile batch files into executable files 


e RIP and SAP broadcast storms 
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Exercise (Ethernet) 
Objective: Look at the frame format for Raw Ethernet_802.3 frame and 
typical NetWare traffic 
1. Load the file C:\CAPTURE\TC102\NOVELL.ENC. Press F3 just once. 
2. In the Detail screen, note the format of frame 1. 
— Note the checksum from the XNS header 
— Note the length field 
— Note there is no LLC header after the DLC layer 
3. Look in the IPX layer- note we show the network layer address in the network.node 
format. What is the destination address? 
What is the source address? 
4. What is the socket number of server S1? 
What is the socket number of Dan? 
5. Note the Novell Advanced NetWare header of frame 1. This is not SPX, it is the 
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undocumented header. What is the request type? 
Go to frame 2. What is the request type? 
What is Dan doing in frames 9-20? 
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Objective: Determine why NetWare sometimes uses such small frame sizes. 


Background: Users of a LAN-based Bulletin Board System (BBS) are complaining that it 
takes a long time to start the BBS software. The user’s workstation software downloads 
a file called BBS.BAT from the file server when the BBS is started. Using a Sniffer, 
the network administrator Eddy has noticed that the workstation software reads the file 
BBS.BAT in very small blocks. 


Configuration: Eddy has set up the workstations to use local data cache buffers. This 
allows a workstation to read large blocks of data from the server. Why is this not 
helping when BBS.BAT gets read? 


File Server 
BBS 
Novell30900F 

network 00004500 

node 000000000001 


Network Administrator User waiting Sniffer 
Eddy's PC for BBS to start up 
NwkGnl08058E 
network 00000047 
node 00006508058E 
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Exercise (continued) 


1. Load and display the trace file: C:\CAPTURE\TC102\BBS.ENC. 


2. Use the Manage names function to name 47.NwkGnl08058E “EddysPC” and 4500.1 
“FileServer.” 


3. In frame 1, EddysPC opens the file BBS.BAT. In frame 2, the File Server says the open 
was successful and tells EddysPC to refer to that file with a File Handle. What is the 
the file handle? (See F=XXXX in the Summary window.) 


4. In frame 2, what are the file attribute flags for the file BBS.BAT? 


5. In frame 3, EddysPC starts reading from the file BBS.BAT (file handle CA34 0000.) 
Set your mark at frame 3. 
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6. How many bytes does EddysPC read from the file BBS.BAT at a time? 


7. By looking in the Summary window at the read request and response in frames 
733 and 734, you can determine that Eddys PC read a total of 11,680 + 28, or 
11,708 bytes from the file BBS.BAT. 

Turn on cumulative bytes. 
a) How many total bytes were required to read 11,708 bytes from the file? 


b) Approximately what percentage of the total bytes were overhead (i.e. not 
data bytes.) 


8. In frame 769 Eddy downloads the FLAG.EXE file. This utility allows one to 
change the file attributes of a file. 


9. In frame 2319, EddysPC opens the file BBS.BAT again. In frame 2320, the 
FileServer says the open was successful and tells EddysPC to refer to that file 
with a File Handle. What is the file handle? 
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Exercise (continued) 
10. Looking at frame 2320, what file attribute flag did Eddy change for BBS.BAT? 


11. Set your mark at the next read for the file BBS.BAT (frame 2321). 


12. By looking in the Summary window at the read request and response in frames 2365 
and 2366, you can determine that EddysPC read a total of 11,264 + 444, or 11,708 
bytes, from the file BBS.BAT. (You can always look in the detail window of the 


response frame after the read request in the NCP header for the size of the file) 


a) Using the cumulative bytes count, determine how many total bytes were required to 
read 11,708 bytes from the file this time. 


b) Approximately what percentage of the total bytes were overhead (i.e. not data bytes?) 


13. Why is the overhead for reading BBS.BAT so different the second time? For a hint 
read the following text from Appendix B of the NetWare Supervisor Reference: “The 
cache buffers option sets how many 512-byte buffers the shell will use for local caching 
of nonshared, nontransaction tracked files.” 
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Exercise (continued) 


14. Could it be that the workstation did not read large blocks of data from the file 
BBS.BAT because the file was marked sharable, and caching is not used for 
sharable files? 


15. Does the file BBS.BAT really need to be tagged as sharable if it is already tagged 
as read-only? 


Sniffer 


File Server 


User is happy now 5 
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Exercise (Token Ring) 


Objective: Use RIP and SAP traffic to document a Novell network. 


Background: You’ ve been called in to troubleshoot a Novell network. No documentation of the 
network exists. Use the RIP and SAP traffic to document the network. 


Hints: NetWare allows multiple network cards to be installed in file 
servers. They call these internal routers. Each board has a 
unique network address which is the address of the network 
to which the card is attached. They are always one hop from 
the server. Their IPX address will be shown in the Sniffer as 
network.board address. All routers on the same network cable, whether in 
another box or in a server must have the same network address defined 
when they are installed. 


NetWare 3.x and 4.x servers also have an internal network 

address. The file server’s address is internal number.1 and 

is always one hop in the SAP frames. 2.x servers do not have internal network 
addresses. 


Servers advertise through Service Advertising Protocol frames (SAPs). 
Services like print servers running in the server will also be 
advertised in the SAPs. They are one network away. 
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Exercise (continued) 


1. Load the file C:\CAPTURE\TC105\LOCRTR2.TRC. Press F3 twice. 

2. In this example, there are two IPX internal routers on network 00000002, router 
SPISC (NetFrm0201E8) and router IBM 75EFBE. 
In frame 4, router SPISC advertises to all stations on network OOOO0002 the 


networks it can reach. What networks can router SPISC reach? 
Network # Hop Cnt Ticks 


In frame 5, router IBM 75EFBE broadcasts a frame onto network 00000002. 
In this frame the router advertises the networks it can reach. What networks 
can router IBM 75EFBE reach? 

Network # Hop cnt Ticks 
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Exercise (continued) 


With the information in frames 4 and 5, sketch a map of the internetwork on the 
next page. Hint: “Hop count = 1” is for networks that are directly attached to the 
router. 


3. Using the SAP frames 2 and 3 add the servers to your drawing. Include server 
names. Hint: “Intervening network count = 1” is for File Services running in that 
router. “Intervening network count = 2” is for other services running on that router 
or services running on a directly connected network. 


Server name Intervening NW cnt 


4. In frame 12 workstation IBM 6F3256 inserts into the ring. (You won't see the 
Media Access Control frames for inserting into the ring because they were filtered 
out.) Add this station to your drawing on the previous page. 


5. In frame 12 workstation IBM 6F3256 sends a NetWare Service Advertising 
Protocol frame looking for file servers. Which router responds first? 


- Which file server can the router that responded first reach? 


© 
Network 
General 


Ethernet and Token Ring Network Analysis & Troubleshootings 6/94 Rev. 4.4T Novell Netware 30 


242 


J 


J 


’ . . ©Copyright 1990 - 1994 Network General Corporation. Allrights reserved. 
Swiffer Universiti pr org ° 8 


Exercise (continued) 
Sketch a Network Map Below 
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Banyan VINES 


e Virtual NEtworking System (VINES) 

¢ UNIX-Based Servers 

¢ DOS, Macintosh, OS/2, and other operating systems 
¢ Global naming system 

e Superior WAN capabilities 

e Start big, grow bigger 


e Based on XNS, uses SMB file services 
(90% compatible) 
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VINES Network Operating System 


Basic Services 


e Server Service 

e StreetTalk: global naming service 

e Vanguard: security service 

e File services 

e Print services 

e Server-based routing 

e StreetTalk Directory Assistance (STDA) 
e Multilingual files 
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VINES 
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Network Operating System 


Optional Services 
5, 10, 20, 100, or 250 User license 


Integrated network mail system 
— SMTP mail gateway 


Server based network management (MNET) 
— SNMP proxy agent 


Intelligent messaging service 


Server to server communication options 
— LAN, WAN, X.25, ISDN, T-1, TCP/IP, SNA 


Asynchronous terminal emulation 
IBM 3270 SNA services 

Toolkit 
PC Dial-In 


Banyan VINES 4 
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VINES Addressing 


e Every VINES server has a serialized server key. 


e Banyan uses the serial number of the key as the 
network address. 


e A server will assign itself a subnetwork address of 
0001. 


e All PCs connected to the same segment as the server 
use the same network address as the server. 


e The server will then dynamically assign these PCs 
subnetwork numbers from 8001 to 8FFF. 


e This assignment is accomplished using ARP. 
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VINES Addressing (continued) 


Server A Server B 


1 - Query Response ie Query Response 


3 - Assignment Response 
- 


0 - Query Request 
2 - Assignment Request 
<———_. 


0 - Query Reguest 


Client 
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VINES IP Routing 


¢ Both clients and servers keep two tables 
— Neighbors table 
— All known networks table 


¢ Clients only keep information on current connections. 
¢ Routing is performed on least cost. 


¢ Routing is dynamic. An entry ages out of the 
neighbors table after 9 minutes. 


* Routing table updates are sent out every 98 seconds 
via Routing Update Protocol (RTP). 


¢ Full tables are sent every 12 hours or when requested. 
e Servers know cost to all other servers. 
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VINES Internet Control Protocol 


e Provides services to transport layer 
e Used when a destination cannot be reached 


e Returns up to 40 bytes of the origional IP packet 


e Returns last hop cost 


— metric is used by transport layer as a timer 
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VINES ICP (continued) 


Ethernet 


Server A Server B Server C 


Client 


Server A sends a data packet to a client. 
Server C returns an ICP metric notification to server A with last hop cost. 


Ethernet 


Server A Server B Server C Client 


Server A sends a data packet to a client. 
Server B is unable to reach the destination and returns an ICP exemption 
notification to server A. 
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StreetTalk 


¢ VINES distributed naming service 
¢ Logical link between users and network resources 


¢ Based upon an object database containing group 
information residing on the user's StreetTalk server 


e Three part name - Item @Group @ Organization 
—  Dan@Training@NGC 
— Laser Printer@ Accounting @NGC 
— Shared Drive@MIS @NGC 
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StreetTalk Blasts 


¢ In Version 3.X, StreetTalk would broadcast (blast) a 
information regarding locally maintained groups if 
— A new server came up on the network 
— A local group was added or deleted 
— Once every 12 hours 


e Since it used IPC unreliable services, a server would blast 4 _ 
times during a 53 minute period with a hop count of F. ~— 


e Version 4.X replaced the traditional blast with smaller 
blasts that contain IDs. If the IDs were changed, info was 
requested. Version 4.X is the transition version. 


e Version 5.X StreetTalk can only communicate with 4.X or - 
later servers. ~ 
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VINES Mail 


Server A Server B 


Mail Mail 
Transfer Transfer 
Service Service 


Mail Box Mail Box 
Service Service 
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VINES Troubleshooting 


Slow workstation response time. 


— Installation default Communication Buffers on the server are inadequate. 
Should be 100-400. Workstation buffers should be at least 24. 


— User is too far down on the Access Rights List (ARL) for a specific file or directory, resulting in 
slow search. 


— Server is busy processing routed traffic. Routing is a high priority kernal call. 


User experiences slow response time and frequent disconnects. 


— If remote bridging is used, timeouts will result from incorrectly calculated total path metrics. 
— StreetTalk Directory Assistance (STDA) updates causing excessive bandwidth use. 


“VINES Files Unavailable” message. 


— Disk drive fills on server resulting in immediate crash. 
— Physical connection between client and server is broken. 
— Server is hung or busy with high priority processing. 


Network backup will not finish properly. 


— Excessive number of saved mail messages on the Mail Service being backed up. 
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VINES Troubleshooting (Cont.) 


User's login fails with “Server unavailable or incorrect name/password” error. 


| 


Physical connection to server is broken. 
— User entered the wrong name or incorrect password (password is case-sensitive). 
StreetTalk server is hung or inoperative. 


Mail services and server response time deteriorates. 


— User sent *@*@* EMail (maybe with a large file attached) resulting in excessive use of bandwidth. 


File or Print Service is not available. 


— Service was stopped by an administrator, or is hung and must be stopped and restarted. 


User cannot read from or write to a file service to which they are attached. 
— User is not included on Access Rights List (ARL) for that directory. 


Slow response time on file reads from the server. 


Percentage of Cache Hits on server is too low. Should be about 85%. 
Server is busy routing traffic. 
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Banyan Ethemet xercise 


Objective: This exercise is designed to help the student understand some of the various ‘_ 
protocols used by Banyan VINES, as well as use some advanced features of - 
the Sniffer Network Analyzer. = 


1. Load and display the trace file C:\CAPTURE\TC102\BANEX.ENC. _ 


2. Search for text on “VSARP” to see the affect of powering on a PC. VSARP is 


VINES Address Resolution Protocol. What frame is selected? - 
3. What is the Source Network Address in that frame? Why? 4 
4. What network address is eventually assigned to the DLC address of Novell491DE1? aa 
In what frame number is the assignment made? ne 
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Banyan Ethemet Exercise (continued) 


5. In what frame does the customer first attempt to Login? 


6. What is the User name and password? 


7. What transport layer protocol is used by a VINES Remote Procedure Call (VNRPC)? 


8. What’s happening in frames 290 - 292? 


9. Extra credit: What command might have been entered by the client to generate frame 
207? 
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Banyan Token Ring Exercise 


Objective: This exercise is designed to help the student understand some of the various 
protocols used by Banyan VINES, as well as use some advanced features of 
the Sniffer Network Analyzer. 


1. Load and display the trace file C:\CAPTURE\TC105\BANEX.TRC. 


2. Search for text on “VSARP” to see the affect of powering on a PC. VSARP is 
VINES Address Resolution Protocol. What frame is selected? 


3. What is the Source Network Address in that frame? Why? 


4. What network address is eventually assigned to the DLC address of IBM7DB547? In 
what frame number is the assignment made? 
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Banyan Token Ring Exercise (continued) 


5. In what frame does the customer first attempt to Login? 


6. What is the User name and password? 


7. What transport layer protocol is used by a VINES Remote Procedure Call (VNRPC)? 


8 


9. Extra credit: What command might have been entered by the client to generate frame 
399? 


. What’s happening in frames 558, 568, and 577? 
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Frame Formats 
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} 


} 


} 


} 
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University 


VINES Layered Architecture 


StreetTalk SNA Services 
Vanguard File Services 
Mail Print Services 


Application 


Network Remote 
Procedure Calls 


IPC IPC is connection or connectionless 
Transport SPP SPP is connection oriented 


ICP ICP reports and redirects 
Network RTP RTP provides routing updates 
ARP ARP dynamically assigns IP addresses 
IP IP carries all upper layer data 


Fragmentation Protocol used only for 
Data Link FRP packets that are less than 1500 bytes 
Physical Any Physical Layer Protocol 
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University 


VINES Network Operating System 


Layer Two Protocol 


Fragmentation Protocol 


Fragmentation 
Protocol Field 


Header 


Sequence 
Number 


0-255 


00 Middle Fragment 
01 First Fragment 
10 Last Fragment 
11 Only Fragment 
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University 


VINES Network Operating System 


Layer Three Protocols 
VINES ARP Protocol 


Data VINES VINES VINES Data 
Link Link 
Header IP Header ARP Header ARP Data Trailer 


Version Packet Network | Subnetwork | Sequence 
Number Type Number Number Number 
(1 byte) (1 byte) (4 bytes) (2 bytes) (4 bytes) 


00 Pre-5.50 00 Query Request 

01 5.50 01 Query Response 
02 Assign Request 
03 Assign Response 
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Usiversitigm 


VINES IP 


Protocol Header 


Destination 
Subnetwork 


Destination 
Network 
Address 


Network 
Address 


Subnetwork 
Address 
(2 Byte) 


Check Field 


Sequence (2 bytes) 
2 bytes 


Control 
(1 byte) 


(1 Byte) 


18 for VIP 01 IPC 
Header 
plus data 


E-M-R 
or Class 
(Bits 0-3) i Class 


00 All reachable, regardless of cost 

' A 01 All reachable, except if packet charge imposed 

Indicates either 02 All reachable with ox cost 
Error, Metric, Redirect 03 All reachable with high speed LAN 

04 Reachable service nodes, regardless of cost 

or Class 05 Reachable service nodes, except if packet charge imposed 
06 Reachable service nodes with low cost 
07 Reachable service nodes with high speed LAN 
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VINES RTP 
Header 


Version Operation Compatibility Reserved Data 
Number type Flags Link 


(2 bytes) | (1 byte) (1 Byte) (1 Byte) Trailer 


0001 for 01 Host 
Version 02 Router 
5.50 01 Same Revision 
02 Version mismatch 
01 Request 03 Older neighbors present 
02 Update Response 04 Automatic 
03 Redirect 


04 Reinitialize 
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VINES RTP (continued) 


RTP Update/Response Format 


Control Packet 


Flags ID 
(1 byte) | (2 bytes) 


Incremented for 


01 Response each packet sent} Destination Destination | Destination Network 
Network Metric Sequence # Flags 

01 BOM (4 Bytes) (2 Bytes) (4 Bytes) (1 Byte) 

02 EOM 

03 Only Packet 

04 Changes 

08 Full Information 

10 Resync 01 Broadcast 
02 Point to Point WAN 
04 Non VIP 


08 Unknown Sequence # 


Ethernet and Token Ring Network Analysis & Troubleshooting - 6/94 Rev. 4.4T Banyan VINES 26 


270 


) 


) 


' 


} 


J 


) 


‘ . © Copyright 1990 - 1994 Network General Corporation. All rights reserved. 
Universitym 


VINES RTP (continued 2) 
RTP Request Format 


Sender 
Sequence 
Number 
4 Bytes 


Routing List 
Entries 


RTP 
Reserved 
Header (1 Byte) 


(6 bytes) 


01 Specific ——— 
02 Changes Destination Destination 
04 Full Information Network Sequence 
18 Null Information (4 Bytes) 
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VINES RTP (continued 3) 
RTP Redirect Format 


Destination 


Destination Destination Destination Destination Reserved Senueice 
Network Subnetwork Metric Node Type (1 Byte) ss seid 
(4 Bytes) (2. bytes) (2 Bytes) (1 Byte) 4 Bytes 


# bytes in 


Data | VINES RTP DLC SLR 
Link IP Header | wddress | length 
Header | Header (6 bytes) (1 byte) | Byte) 


Preferred Preferred 


Preferred Preferred 


Gateway 


Gateway Gateway Gateway Node Type | Reserved Gateway 
Network Subnetwork Metric (1 Byte) (1 Byte) Sequence# 
(4 bytes) (2 bytes) (2 Bytes) (4 Bytes) 
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University™ 


VINES ICP 


VINES ICP Packet Format 


Data VINES IcP ICP 
Link IP Header Data 
Header | Header (4 bytes) (up to 40 bytes) 


Packet Type 
0000 Exception 0001 
Metric 
(2 bytes) 


Code, Origional 
Exception Code, VINES IP 
or Metric Value Packet 
(2 Bytes) 
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University 


VINES SPP 


Layer Four Protocols 


Transport Protocol 


Source Destination 
Port Port 
(2 Bytes) (2 Bytes) 


Control Sequence Ack 
(1 Byte) Number | Number 
(2 Bytes) | (2 Bytes) 


(2 Bytes) | (2 Bytes) 


01 Data 00 Middle of message : 

03 Disconnect 01 Abort current message Maximum 

04 Probe 20 Start of message Secquence 

05 Ack 40 End of message Number 
60 Start /End of message Acceptable 


80 Intermediate ack request 


© 
Network 
General 


274 


© Copyright 1990 - 1994 Network General Corporation. All rights reserved. 


J) 


) 


 &) 3) > o> ®) 


J 


> a? a? 2) Gp i> i> ip | 


Ss Be Om) | 


} 


J 


| 


J 


) 


© Copyright 1990 - 1994 Network General Corporation. All rights reserved. 


University 


VINES IPC 


Source Destination Packet Type Control 


Port Port 00 Datagram NA 
(2 Bytes) (2 Bytes) (1 Byte) (1 Byte) 


Reliable 
IPC 
Header 


pp bia at Packet | Contro] | Local Remote | Sequence Ack Error/ 
‘ort ‘ort Type | (i Byte) | CID CID | Number | Number | Length 


(2 Bytes) | (2 Bytes) | (1 Byte) (2 Bytes) | (2 Bytes) | (2 Bytes) | (2 Bytes) | (2 Bytes) 
01 Data 00 Middle of message 
02 i 01 Abort current message 
os i ae 20 Start of message 
05 Ack 40 End of message 


60 Start /End of message 
80 Intermediate ack request 
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VINES NET RPC 
Layers Four & Five Protocol 


Type 
0000 
Call Message 


Type 
0001 
Reject Message 


Type 
0002 
Return Message 


Type 
0003 
Abort Message 


Type 
0004 
Search 
Message 


Type 
0005 
Return Address 

Message 

Type 

0006 

Search All 

Message 


(2 Bytes) 
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Transaction ID 


(2 Bytes) 


Transaction ID 


(2 Bytes) 


(2 Bytes) 


Protocol 
Revision 
(2 Bytes) 
Protocol 


Revision 
(2 Bytes) 


Protocol 
Revision 
(2 Bytes) 
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Program 
Number 
(4 Bytes) 


Rejection 
Code 
(2 Bytes) 


Procedure 
Results 
(Variable) 


Error 
Code 
(2 Bytes) 


Procedure 
Arguements 
(Variable) 


Procedure 


Results 


(Variable) 


Procedure 


Arguements 


(Variable) 
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Procedure 
Number 
0-255 
(2 Bytes) 


Version 
Number 
(2 Bytes) 


Procedure 
Arguements 
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Server Message Block Protocol 


¢ Application Layer Client-Server protocol originally 
developed for the IBM PC LAN Program 


¢ Supports Client-Server and Peer-to-Peer Operating 
Systems (O/S’) 


° Maplemicniee in various O/S’ 
3Com 3+Open/Share 
~ Banyan Vines 
~ Microsoft Windows For Workgroups 
— Microsoft Windows NT 
— DEC Pathworks for DOS 
— OS/2 LAN Server 
— PCNet 
— MS Net 
— TCP/IP, UDP/IP 
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Server Message Block Protocol 


e Four types of commands 
— Session Control 
— File Management 
— Print Functions 
— Messaging 


¢ Not all SMB functions are supported by various O/S’ 


NetBIOS for the Transport and Session Layer 


¢ Microsoft’s implementation of SMB typically uses 
protocols 
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University 


SMB File Sharing Connections 


Net Share 
Consumer Server 


Net Use -— 


¢ Users allow access to some or all of their files by 
specifying the directory of their filesystem(s) 
— Example: ‘NET SHARE \DIR1 “BONZO” RW’ will offer 
‘Read/Write’ access priviliges to all files in the subdirectory ‘Dirl’ 
if the correct password ‘bonzo’ is used by the consumer 


¢ Other users gain access to some or all of the files by 
specifying the destination host, directory, and 


password 
— Example: ‘NET USE \\DIR1 “BONZO’”’ 
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The IBM PC PC LAN Program 


vo | Application | \eiwork Application 
Rqasts Control INT 2A 
INT INT 2A INT 2F 
21 


INT 2F 


File and 
Print 
Servers 


Create. 


1 
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SMB Message Format 


Field < 
Size Field Name Field Description 


SMB_IDF 
SMB_COM 
SMB_RCLS 
SMB_ REH 
SMB_ERR 
SMB_REB 
SMB_RES 
SMB_TID 
SMB_PID 
SMB_UID 
SMB_MID 
SMB_WCT 
SMB_VWV 
SMB_BCC 
SMB_DATA 
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OxFF “SMB” 

Command Code 

Error code class 

Reserved (contains AH if DOS INT-24 err) 
Error code 

Reserved 

Reserved 

Tree ID (a connection ID) 

Caller’s process ID (like a port number) 
User ID number 

Multiplex ID number 

Count of parameter words 

Variable number words of params 
Number of bytes of data which follow 
Data bytes 
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SMB File Sharing Commands 


Open File Obtains a file handle for a data file 
Create File Creates a new data file, or truncates an existing one 
Close File Invalidates a file handle for the requesting process 


Flush File Ensures that all data and allocation information for a file has been 
written to non-volatile storage 


Read Read bytes of a data file 

Write Write bytes into a data file 

Seek Sets the current file pointer for the requesting process 
Create Directory Creates a new directory 

Delete Directory Deletes an empty directory 

Delete File Deletes a data file 

Rename File Changes the name of a file 

Get File Attributes Obtains information about a file 

Set File Attributes Changes information about a file 

Lock Record Locks a given byte range 
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SMB File Sharing Commands (cont’d) 


Unlock Record 
Create Temporary File 
Process Exit 

Make New File 
Check Path 

Get Server Attributes 
Negotiate Protocol 
File Search 

Create Print File 
Close Print File 
Write Print File 

Get Print Queue 
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Unlocks a given byte range 
Creates a temporary file 
Informs the server that a consumer process has terminated 


Creates a new file; will fail if file already exists 


Verifies that a path exists and is a directory 


Determines total server capacity and remaining free space 

Allows a consumer to specify dialects that can be used for communication 
Searches directories for a file 

Creates a new print file 

Invalidates the specified file handle and queues the file for printing 
Appends the data block to the print file specified by the file handle 


Obtains a list of the elements currently in the print queue on the server 
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SMB Architecture 


e Virtual Circuit Environment 
— separate virtual circuit (VC) between client and server 
e Logon Environment 
— Tree ID (TID) uniquely identifies a file sharing connection and is 
initially set to 0000 until it is mapped to the server’s filesystem 
directory 
e Process Environment 
— Process ID (PID) differentiates user processes within the same VC 
and is initially set to 0000. Similar in use to a port or socket 
e User Environment 
— aunique User ID (UID) is used for each client 


e There can be more than one virtual circuit between a 
client and server and subsequently, multiple TIDs, 
and PIDs for each UID 
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Exercise 


Objective: Examine a user logon failure to a Microsoft 
LanManager server. 


Hint: The failure is caused by a bug in the software that occurs 
when a network administrator sets up times when a user can and 
cannot log on. To recover from the failure, the network 
administrator can reboot the server. 


1. Load and display trace file C:\CAPTURE\TC105\NEWSMB.TRC 


2. Though the SMB connection establishment fails, we can see in the first 
11 frames that session establishment at the lower layers works fine. 


a) What frames show that the LLC session establishment worked? 


b) What frames show that the NetBIOS session establishment worked? 
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Exercise (continued ) 


3. In frame 17, the user with the account name TSPPEZ attempts to logon and connect to 
the server. Set your mark at frame 17 and turn on Relative time. 


4. Do you see a response to the Setup Account and Connect requests in frame 17 within 
a reasonable amount of time (i.e. within a minute or so?) 


5. Measuring from frame 17: 
a) How long does it take for the NetBIOS software on TFC00957 to decide to end the 


session? 


b) How long does it take for the station's LLC layer to disconnect the session? 


6. a) Does the user try to log on again? 
b) How many times? 


c) Is the user ever successful? (Do you ever see responses to the Setup Account and 
Connect requests?) 
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Exercise (continued) 


7. Notice the long delta time between frames 68 and 69 and then the multiple frames 
from the FPD-IFS. What do you think the network administrator did during that long 
delta time? 
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¢ Vendor developed API provides “hooks” 
to network 


¢ Allows remote calls 
¢ Allows simpler application development 
e Standardizes network access 


* Facilitates connection procedures and 
Network Operating data transfer 


System ¢ About 250 different APIs 


¢ Common APIs: 
Physical Network - NetBIOS 

- Named Pipes 
“162 

- IPX/SPX 

- SMB 


User Written 
Application 
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NetBIOS 


¢ Networking extension of BIOS 

e Jointly developed by IBM and Sytek 

¢ Currently supported by many network application vendors 
e About 22 different NetBIOS frames supported in token ring 
e Facilitates name management, session control, data transfer 
e Builds a session for each connection 


e Different versions available 


O 
Network 
Ethemet and Token Ring Network Analysis & Troubleshooting - 6/94 4.4T NetB General 


291 


© Copyright 1990 - 1994 Network General Corporation. All rights reserved. 


NetBIOS 


OSI 7-Layer Model NetBIOS Service 


Session Management 
Full-Duplex Transmission 
Error Control 

Flow Control 

Virtual Circuits 
Datagrams 

Connection Management 
Source Routing 


Name Management 
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Sniffer Network Analyzer data from file C:\CAPTURE\ERRORS\XNETB4.TRC, 
Page 1 


SUMMARY 


Delta T Destination Source Summary 


NetBIOS IBM 0033BF NETB Check name PORTABLE 
NetBIOS IBM 0033BF NETB Check name PORTABLE 
NetBIOS IBM 0033BF NETB Check name PORTABLE 
NetBIOS IBM 0033BF NETB Check name PORTABLE 
NetBIOS IBM 0033BF NETB Check name PORTABLE 
NetBIOS IBM 0033BF NETB Check name PORTABLE 

DETAIL 

weer cree eee eee Frame 9 ----------------- 

NETB: ----- NETBIOS Add Name Query ----- 

NETB: 

NETB: Header length = 44, Data length = 0 

NETB: Delimiter = EFFF (NETBIOS) 

NETB: Command = 01 

NETB: Response correlator = 0001 

NETB: Name to be added = PORTABLE 
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Typical NetBIOS Session 


Sniffer Network Analyzer data from file C:\CAPTURE\TC105\NEWSMB.TRC, Page 1 


SUMMARY 


Delta T 


6.870 
0.001 
0.008 
0.001 
0.004 
0.008 
0.029 
0.046 
30.156 
2.038 
28.204 
3.124 


Destination 


NetBIOS 
Prteon047313 
0001FA001019 
Prteon047313 
0001FA001019 
Prteon047313 
0001FA001019 
Prteon047313 
0001FA001019 
Prteon047313 
0001FA001019 
0001FA001019 
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Source 


Prteon047313 
0001FA001019 
Prteon047313 
0001FA001019 
Prteon047313 
0001FA001019 
Prteon047313 
0001FA001019 
Prteon047313 
0001FA001019 
Prteon047313 
Prteon047313 
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Summary 


NETB Find name FPD-IFS 

NETB Name FPD-IFS recognized 
NETB D=E2 S=25 Session initialize 
NETB D=25 S=E2 Session confirm 
NETB D=E2 S=25 Data, 93 bytes 
NETB D=25 S=E2 Data, 69 bytes 
NETB D=E2 S=25 Data, 119 bytes 
NETB D=25 S=E2 Data ACK 
NETB Session alive 

NETB Session alive 

NETB Session alive 

NETB D=E2 S=25 Session end 
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LEN 
DEL 


NetBIOS Header 


SEES 


Length of Header and Data 
Delimiter (always EFFF) 
NetBIOS Command 

Optional Command Data 
Optional Command Data 
Transmit/Response Correlator 
Destination Session # or Name 
Source Session # or Name 


(2 Octets) 

(2 Octets) 

(1 Octet) 

(1 Octet) 

(2 Octets) 

(4 Octets) 

(1 or 16 Octets) 
(1 or 16 Octets) 
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NetBIOS Naming Conventions 


The IBM PC LAN Program and other programs use a convention 
where the 16th byte of a NetBIOS name has a special meaning: 


<QO> redirector name - name used to talk to redirector 


<03> main user name - means a name for that machine (no 
forwarding) 


<05> means an alias used to receive messages on behalf of 
another station. (i.e. forwarded mail.) 


<20> server name 
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NetBIOS Troubleshooting 


1. Check for duplicate NetBIOS names. 
2. Check NetBIOS version compatibility. 
3. Check or verify if Routers are bridging. 


4. Implement NetBIOS filters in bridges to 
reduce unnecessary NetBIOS traffic. 
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Exercise 


Objective: Determine the origin of a broadcast storm. 


Load trace file C:\CAPTURE\TC105\FILESERV2.TRC 
Display the file. 

View the Expert Window. 

What Symptoms do you see? 

View the Symptom Summary for any Symptoms you find. 
View the Symptom Detail for any Symptoms you find. 
Display the data . 


BP Sa: Sar RU ee ae 


Do you see anything out of the ordinary? Page down 
through the trace several times. 
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University™ 


Exercise (Continued) 


9. Since this trace indicates a high level of broadcast traffic, 
use the display filter to filter on frames that fall into the 


broadcast destination class. ( F6, Enter the letter F twice 
for Filters, arrow to the right, Enter the letter D for 
Destination, arrow to the right, arrow down once, hit the 
spacebar to deselect frames addressed to a specific device, 
hit F3 to redisplay the data ). 


10. Hit the home key. The resulting display should only 
contain broadcast traffic. Lets begin investigating this 
traffic by focusing in on various conversations. Start with 
the first station displayed (IBM 30F315). Adjust your 
filter so that only traffic to and from this station is 
displayed (F6, enter F twice for Filters, arrow to the right, 
arrow up once to select Station address, arrow to the 
right, arrow to the right, hit the enter key, select from the 
available stations IBM 30F315, F3 to redisplay the data ). 
This station is looking for the Attachmate Gateway 
PFO10T. Why the gateway does not answer is unknown. 

We should have the configuration for these two machines 
checked. 
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Exercise (Continued) 


LG 


Le 


ib 
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Lets continue looking at other traffic ( F6 enter F 
twice for Filters, arrow to the right, arrow up once to 
select Station address, arrow to the right, arrow to the 
right, enter E for Exclude these, hit the space bar to 
select , arrow to the left, enter O for Others, arrow to 
the right, hit the space bar to Include others, F3 to 
redisplay the data). 


Continue using Match 2, Match 3, and Match 4. Select 
the next available station, and repeat the process. You 
will have to adjust the Others filter option as you 
continue. Proceed until all the broadcast frames have 
been analyzed. Try to identify the source of the 
broadcast traffic. 


What conclusions can you make at this point? What 
would you recommend to the administrator of this 
network? 
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of 


AppleTalk Basics 


¢ Physical and data link layers independence — supports 
LocalTalk, Ethernet, Token Ring, Fiber, etc. 


¢ Dynamic node assignment eliminates need for administrator 


to assign an ID to each station 


¢ Logical grouping of devices into named “zones” 


e Distributed naming 
— Users name their own workstations 


— Administrator names servers, printers, and zones 


— Users run “Chooser” to reach a named service in a zone 
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(—$ Ae 
AppleTalk Phase 2 


e Offers performance enhancements for large installations 
— Uses Data Link Layer multicast, instead of broadcasts 


— Network administrator assigns a range of network numbers to 
a network so that there can be more than 254 nodes per 
network segment 


e Phase 2 is compatible with older implementations and 
applications 


— Only routers MUST change 
— EtherTalk nodes can be upgraded as desired 
— No changes to LocalTalk nodes 
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AppleTalk Phase 2 Internet 


Zone B Zone A Zone A 


ae 


EtherTalk Net 100-101 


LocalTalk Net 102 


TokenTalk 
Net 103-104 
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Dynamic Node Assignment in Phase 2 


¢ AppleTalk nodes are uniquely identified by both their network ID and node ID. Once a 
Macintosh has been on an AppleTalk network, it saves its network ID and node ID in 
non-volatile RAM. 


¢ When a node is booted, if it has a network ID and node ID in non-volatile RAM, it uses 
AppleTalk Address Resolution (AARP) "probe" frames to make sure that the "network 
number.node ID" is still unique. It sends 10 probes. 


e If anode has nothing in non-volatile RAM, it makes up a network number and node ID 
and sends 10 AARP probes. 


e After probing, the node broadcasts a GetNetInfo packet. Routers broadcast responses 
telling nodes what the network number range for their network is. If the node "probed" 
for an invalid network number, it must try again 10 times with a correct one. 


e¢ Sometimes nodes will also then make sure their name is unique. This always happens 
for servers and printers, but not always for workstations. (If the workstation runs the 
"responder" program during boot, it will check to see if its name is unique.) 


¢ Note that the Sniffer displays AppleTalk node identifiers as: x.y where x is the network 
number and y is the node ID. 
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Routing Table 
Maintenance Protocol (RTMP) 


¢ Used by routers to establish and maintain routing tables 


¢ Each router broadcasts its routing table every 10 seconds 


¢ Routers update their tables based on RTMP packets 
received from other routers 
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NN 
Zone Information Protocol (ZIP) 


e Used by routers to maintain a list of zone names associated 
with each network 


e If arouter learns about a new network from another router's 
RTMP frame, it will query the other router for all zone names 
associated with the new network 


e End nodes query the router for ZIP information: 


When the end node enters the network, it requests names of zones associated with 
the network on which the end node resides. 


When the user pulls up the chooser, the end node software requests a listing of all the 
zones in the internetwork. 
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Name Binding Protocol (NBP) 


e Users know the File Server as FileServerl in Zone 
Marketing 


¢ NBP converts a name into a numeric address 


— FileServerl:AFPServer@ Marketing is converted to 
Network#.Node#.Socket# 


e Names given to print services, a user's mailbox, 
file services, etc. 
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How NBP Works 


Station A Router 


Ask router to 

send a multicast 

to all nodes in zone 
telling them Station 
A is looking for file 
servers (for example) 


Send multicast 
lookup frame 
asking if 

there are any file 
servers out there 


I'm a file server. 
My address is 
net#.node ID 


File Server 
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Troubleshooting 


Problem 


A zone name is missing from users’ Chooser 
listings. 


A file server name is missing from 
users’ Chooser listings 
One or more devices are listed in the wrong zone 


in users’ Chooser listings. 


Excessive broadcast frames causing network 
congestion. 


Two devices appear not to function on network. 
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Possible Cause 


Check for physical cabling problems first. 


Next see if router is crashed or hung and needs to be rebooted. 


Then see if two networks were assigned the same network 
number during router setup - you must change router setup 
on one of the routers. 


File server crashed or incompatible software 
versions. Note that EtherTalk 1.0 nodes don’t respond 
to EtherTalk 2.0 requests and vice versa. 


A zone name was changed on a router and that router 
was restarted too soon. If you leave that router turned 
off for 10 minutes, the other routers will automatically 
phase out the old zone name. 


To avoid infinite NBP lookup multicast frames, 

tell your users not to leave their Chooser window open 
with a device type selected. (Not an issue for Macintosh 
System Software 7.X) 


Two nodes may have chosen the same node ID 
and/or name. To ensure uniqueness, don’t connect a node 


to the network after it’s already gone though its boot 
process. Connect it to the network and then boot. 
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Exercise (Ethernet) 


Objective: Study network traffic when a new node joins the network. 
1. Load and display the trace file C:\CAPTURE\TC102\ATPH2.ENC. 


2. In the beginning of this trace, station 3Com 844822 uses the AppleTalk Address 
Resolution Protocol (AARP) to determine if its randomly chosen network number and 
node ID are unique. 


What number does 3Com 844822 choose for its network number? 
For its node ID? 


3. In frame 11, 3Com 844822 (65291.120) broadcasts a GetNetInfo frame to all 
AppleTalk nodes. Routers answer this request. How many routers are there on this 
local network? = What do these routers say the network range for this network is? 


4. What does 3Com 844822 do in frames 14-19 and 23-26? 


5. In frame 40, 3Com 844822 (3724.120) starts looking for an AppleTalk Filing Protocol 
(AFP) compatible file server. Does 3Com 844822 (3724.120) succeed in finding such 
a server? 
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Exercise One (Token Ring) 


Objective: Investigate network traffic when a new AppleTalk station enters the 
ring. 


1. Load the file C:\CAPTURE\TC105\TTALK.TRC. Display the Summary, Detail 
and Hex windows. 


2. In what frame does station 5000E0000038 send its Duplicate Address Test frame 
to enter the ring? 


3. In what frame does station SOOOE0000038 start sending AppleTalk Address 
Resolution Protocol (AARP) frames to determine if its randomly chosen network 
number and node ID are unique? 


4. What number does 5000E0000038 choose for its network number? 
For its node ID? 


5. Did it choose a valid network number and node ID? 
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Exercise Two (Token Ring) 


Objectives: Determine why 5000E0000639 reports receiver congestion errors. 
Investigate the network behavior of the ““Remounter” software 
running on station SOO0E0000639. 


Background: Station 5000E0000639 is a notebook computer that is attached to a 
“docking station” which includes a Token Ring network interface 
card. The notebook computer is running Remounter software that 
checks the station’s connection to the network when it appears that 
the network connection may have been lost. Due to a design flaw in 
the power supply of the docking station, the computer checks its 
connection to the network rather often. 


1. Load the file C:\CAPTURE\TC105\ECHO_BR1.TRC. Press F3. 


2. Arrow down to the diagnosis at the DLC Stations layer. Press Enter on the 
diagnosis. What is the diagnosis? 


3. Press F3 to display the data. Press F6 for Display options and turn on DLC 
addresses. 


4. Search for text on “congestion” to find where 5000E0000639 says it is congested. 
Set your mark at this frame. 
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Exercise (continued) 


5. Remember that soft errors are usually reported approximately 2 seconds after the 
event that triggered the problem. Turn on Relative time and find the traffic that 
happened approximately 2.seconds before the receiver congestion soft error from 
5000E0000639. What kind of frames did 5000E0000639 receive approximately 2 
seconds before its soft error? (Hint: Look at frames 43-80.) 


6. In frame 42, we see the Remounter software on station 5000E0000639 check its 
connection with the network. What kind of frame is frame 42? 


7. Note that the DLC destination address in frame 42 is CO0040000000. This is the 
address AppleTalk uses for a Token Ring multicast. This frame will go to all 
AppleTalk stations on this ring. 


Will frame 42 also cross bridges? 


Will frame 42 also cross routers? 
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Exercise (continued) 


8. Some TokenTalk (AppleTalk on Token Ring) implementations cannot respond to 
an Echo request from a station on a different ring without first finding a route to 
that station. These implementations cannot just set the “Backward direction” bit 
in the Routing Information and return a response to the Echo. Instead, the stations 
have to first send a message to find the station that sent the echo frame. What 
method do these stations use to find station SOOOEO000639 before returning a 
response to the Echo request? 


9. In what frame does station 400000024124 finally respond to station 
5000E0000639’s echo request? 


10. Does station 5000E0000639 broadcast any other echo requests after the one in 
frame 42? 
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Exercise (continued) 


11. By now you should understand why 5000E00006339 is getting congested. Explain 
why station 5000E0000639 is getting congested. 


12. Are echo broadcast requests a good way for a station to check its connection to the 
network? 


13. What kind of network performance would you see if a lot of notebook computers 
with poor power supplies were running the Remounter software? 
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SNA Overview 


¢ Systems Network Architecture 

¢ IBM’s solution to product compatibility 

¢ Networking/communications standard 

¢ Protocols, procedures, and platforms 

¢ All IBM products have been upgraded to support SNA 


¢ Software, hardware, communications protocols 


e Wide area networking 
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SNA Components 
3090 4300 
Mainframe Mainframe 
3745 Front 3745 Front 
End Processor End Processor 


3745 Front Token Ring 
End Processor 
fm) 


3174 Cluste 
Controller 


I 


AS/400 


minicomputer 
a Bp : 
JO = PCs running 3270 
3270 type terminals emulation or APPC/PC 0) 
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SNA Network Addressable Units 


e System Services Control Point (SSCP) 


Network software that runs on a host and manages and 
maintains the SNA network configuration and operation 


e Physical Unit (PU) 


Network software that manages and monitors the 
resources for a specific network node, i.e. a Front End 
Processor or host 


e Logical Unit (LU) 


Network software that interfaces the user to the services 
of the network 
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University 


SNA Physical Units 


¢ PU Type5 
A host node, contains the Systems 
Service Control Point (SSCP) 


Mainframe 
PU type 5 


¢ PU Type 4 
A Front End Processor, runs the 
Network Control Program (NCP) 


Front 
End Processor 
PU Type 4 


Controller 
PU Type 2 


¢ PU Type 2.1 
Intelligent workstation or 
minicomputer, supports 
peer-to-peer communication 


¢ PU Type 2 
An SNA capable peripheral node, 
i.e. a cluster controller 


Token Ring 


AS/400 


| — | 
PC with PCwithPy | Muncomputer) eo, 466 ® PU Typel 
LUonly and LU ype eet 


A non-SNA peripheral node 
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SNA Logical Units 


LU Type 0 
Mainframe Program to device, may be sup- 
applications = LUs 
3 174 Cluster ica 
“To? | 


plemented by user defined protocols 
Token Ring 


¢ LU Typel 
Program to device, master/slave 
relationship; printers, plotters, storage 
devices 


¢ LU Type 2 
Master/slave relationship, 3270 CRTs 


¢ LU Type 3 
Master/slave relationship, 3270 printers 


¢ LU Type 4 
= SNA character string terminals and 


APPC/PC word processors 
LU Type6.2 e [LU Type Pe 
Program to program 


¢ LU Type7 
AS/400, 5250 interactive terminals 
supporting icons and graphics 
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AS/400 
minicomputer 
LU Type 7 
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SNA Session Establishment 


PU type 2, Secondary LU 


Host, SSCP 
PU type 5 
Primary LU 


FEP 
PU type 4 


Activate Physical Unit (ACTPU) 


Positive Response 


Activate Logical Unit (ACTLU) 


Positive Response 


BIND 
SS 39)9)9))s)siéngngg 


Positive Response 
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SNA Headers 


LAN Basic Link Unit WAN Basic Link Unit 


DATA 


Transmission REQ/RESP 
Header Header 


Basic Information Unit (BIU)—-> 


Path Information Unit (PIU) 
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Improving SNA Performance 
The Micro-to-Mainframe Link 
e Use LU 6.2 peer-to-peer communications for batch file transfers 
instead of 3270 LU Type 2 file transfer. LU type 2 file transfer 
emulates the 3270 terminal data stream and is not optimized for file 
transfer. 
e Use larger Token Ring frame sizes. 


e Use a faster microcomputer. SNA performance on an 8088 or 
80286 is poor. 


e Use segmenting. Make the RU size larger than the frame size. 
This forces the RU messages to be broken into multiple frames 
called “segments”. 


e Upgrade the 3174-011 controller model to a 3174-11 model. If you 
can afford it, upgrade to the 3172 model. The 3172 model is even 
faster and also handles OSI and TCP/IP. 


Source: Mohen, Joe, “Start Your Engines for Improved SNA Performance,” Data Communications, November 1991 
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Troubleshooting SNA 


To establish a connection to the SNA environment, the 
SNA data must travel across the network using 
protocols common to the LAN environment. SNA 
sessions use a variety of transports: 

- LLC 

— NetBIOS 

— SPX 

— TCP/IP 


It is important to verify that the transport being used is 
operational, before attempting to diagnose the session. 
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Troubleshooting SNA 


Focus in on “negative responses” 


¢ IBM uses positive and negative responses during 
session setup and teardown. 
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Troubleshooting SNA 


Focus in on “negative responses” 
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C SC ACTPU PUS5 

C SC ACTLU 
+R SC ACTPU 
+R SC ACTLU 

C FMD Application Data 
+R 

C EMD Application Data 


C SC BINDLU2 NCFO05 


+R SC BIND 


C SC UNBIND (BIND forthcoming) 


+R SC UNBIND 
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Troubleshooting SNA 


Focus in on “negative responses” 


e Search “Summary” text for “SNA -R” 
e Search “Detail” text for “- RESPONSE” 


— Inan SNA environment, a negative response is associated with 
“Sense data”. This data represents the reason a negative response 
was issued. 


SNA: 

SNA: 

SNA: - RESPONSE: Code = 31 (BIND: Bind Session) 
SNA: Sense data: 

SNA: Category = 08 (Request reject) 

SNA: Modifier = 05 (Session limit exceeded) 

SNA: More Info = 0009 

SNA: 
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Troubleshooting SNA 


If you know what 
part of the SNA 
header you are 
looking for , I can 
filter on that 
traffic! 


I’m having a tough 
time solving this 
problem ! 
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Exercise One 


Objective: Identify an SNA Bind failure 
. Load trace file CAPTURE\TC105\KSNAGAT.TRC. 


. Display the file with the Summary and Detail windows open. 
. Set up a Protocol Display filter to only show SNA. 
. Locate the first SNA BIND command. 


. Locate the corresponding reply. 


Nn nr BW NY FR 


. Examine the SNA Response Header (RH) for reply located in 
question #5. 


7. Find all packets where the RU category bits in RH byte 0 are for 
“session control” AND the response type bit in RH byte 1 is 
negative (i.e. 1, not 0.) 


Hint: use “binary” pattern matching 
8. Why did the BIND fail? 
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Exercise Two 


OBJECTIVE: To familiarize you with the general aspects of Terminal and Host 
communications by examining a conversation. 


BACKGROUND: This trace was taken from a network that was running a NetWare/SNA 
gateway. The trace shows SNA terminal data encapsulated in Novell’s SPX transport 
layer protocol. 


1. Load the file C:\CAPTURE\TC105\SPX-T&H.TRC. Display the Summary screen. 


2. Use the Manage Names function to assign the following names for Novell XNS 
addresses: 


1.400000001000 = GATE 
110A.3Com A7225B = WS 
Change Name Width to 8. 


3. Redisplay and observe the exchange of IPX sequenced frames. Novell has chosen to 
refer to Xerox Network Services Sequenced Packet Protocol (XNS SPP) as the 
Sequenced Packet Exchange Protocol (SPX). The Sniffer displays frames with SPX 
headers as IPX SPX frames in the Summary window.. 


4. Observe Frame #1. This is data coming from a 3270 SNA gateway going to a user’s 
workstation. The SNA terminal data is being carried as SPX data. 
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Exercise Two (continued) 


“8 Study the frame detail. The gateway is now sending IPX SPX sequence number 86 . 
In the gateway a connection management process is talking to a terminal process in 
the user’s workstation. The Source process is identified as 0B07 and the Destination 
process is B621. 


6. Observe Frame #2. Process B621 is acknowledging receipt of the previous frame. 
(In other words, it successfully received 86 so it is now expecting 87.) 


7. Go back to Frame #1 and display the Detail screen. How many bytes of data are 
being carried by this frame? 


8. Turn on the Hex window. Can you understand the meaning of the data being carried? 
{HINT: This is a 3270 SNA terminal session; SNA uses EBCDIC encoding, NOT 
ASCII encoding. Check the setting for Hex decoding! } 


9. The data consists of various control characters as well as clear text. The next page 
shows a generalized picture of what the terminal screen might look like. Study the 
hex data. Do you see how this could be the screen the user is seeing? 
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Exercise Two (continued) 


This is, generally, what the correct appearance of 
the user's screen would be. 


PURMENU1 APMMENM1 
*** ACCOUNTS PAYABLE MENU ***, 
SCREEN 01 07/16/92 13:31:48.0.0 
--- PURCHASE ORDER FUNCTIONS --- 


FUNCTION DESCRIPTION 


UPD/INQ PURCHASE ORDER MAINTENANCE 

PRINT PURCHASE ORDER PRINT 

PRINT PRINT PURCHASE ORDERS FOR A USER-ID 
UPD/INQ VENDOR/SUPPLIER MAINTENANCE 
UPD/INQ PACKAGING PURCHASE ORDERS 

UPDATE CLOSE A PURCHASE ORDER 

UPDATE OPEN A PURCHASE ORDER 

INQUIRY PURCHASE ORDER BY LOCATION 

LOGOFF LOGOFF APM SYSTEM AND RETURN TO QSR 


KEY YOUR SELECTION AND PRESS ENTER--> 
PRESS ENTER FOR NEXT PAGE 
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(Ge 


Digital Network Architecture (DNA) 


DNA Layers DNA Functions (Phase IV) 


Remote Resource Access 
Network Management Remote Booting ae 
Remote Command File Submission 
Network Application Virtual Terminals 


Task-to-Task 
End-to-End 
Communications 
ae 


: ; (Point-to-Point) X.25 | Ethernet 
Physical Link 


© 
Network 
General 


Ethernet and Token Ring Network Analysis & Troubleshooting - 6/94 Rev. 4.4T 


336 


a) le? &> o> oi. 


p'3 


} 


\ 


J 


‘ ‘ ‘ © Copyright 1990 - 1994 Network General Corporation. All rights reserved. 
Swiffer Univertity™ 


Ethernet Clients in a DEC Environment 


DRP SCA _ other protocols 
(i.e. IP or OSI) 


Ethernet 
Device Driver 
Ethernet 
Controller Card 


¢ LAT — Local Area Transport used by terminals and terminal servers 


network 


* MOP-— Maintenance Operation Protocol used for downloading large files, for example the operating 
system for diskless stations 


* DRP— DECnet Routing Protocol carries most internetwork mail, remote file access and login traffic 


* SCA-— System Communication Architecture, used by VAX clusters — groups of VMS systems that share 
disk drives and security/nanagement data 
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What Path Will the DECnet Routing 
Protocol Choose From A to D? 


O 
Network 
Ethernet and Token Ring Network Analysis & Troubleshooting - 6/94 Rev. 4.4T DECnet - 4 General 


338 


} 


J) ) 


’ ‘ ’ © Copyright 1990 - 1994 Network General Corporation. All rights reserved, 
Swiffer University 


—_—_—_—_—_—_—_—_—— FS | 
DECnet Routing Protocol (DRP) 


¢ Network administrator assigns a “cost” to each route. 
¢ DRP always takes the route with the lowest cost. 


¢ To avoid congestion, the network administrator sets a limit to 
the number of frames that can be queued for transmission to a 
particular route; frames beyond this limit are not forwarded. 


¢ Routers exchange “Router Hello” messages that help them 
adapt to changes in topology. 
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Level 1 and Level 2 Routers 


DEC defines an “area” — a group of 1023 nodes 


Level 1 routers talk to other Level 1 routers within their own “‘area”’ 


Level 2 routers connect “area” and forward data to Level 1 routers 


Up to 63 areas can be interconnected 


Level 1 Router| | Level 2 Router Level 2 Router} | Level 1 Router 


Level 1 Router Level 1 Router 


Area 1 Area 2 
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NN 
Hello Protocol Data Units 


e Perform “neighbor notification” 


¢ Routers exchange “hello” messages containing information on 
the state of their links to other routers. 


e At least one router must send Hello messages to all the 
end-nodes so they know how to get to other networks. 


e End-nodes periodically send Hello messages to all routers so the 
routers learn who is on their network. 


e Frequency of Hello messages is determined by the network 
administrator. The frequency is usually around 15 seconds. 
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DECnet Addresses 


¢ A DEC station does not use the built-in NIC Ethernet address. 
A DEC station is automatically assigned a new DLC address 
that is based on the station's network layer address. 


e To arrive at a station's DLC address, the station's DECnet area 
number is multiplied by 1024 and added to the station's node 
number. Then the number is converted to HEX and the pairs 
are inverted. AA-00-04-00 is pre-pended to the result. 


e For example Area 17, Node 110 uses the DLC address of 
AA-00-04-00-6E-44. 


17 * 1024 = 17,408 

17,408 + 110 = 17,518 

17,518 converted to HEX = 446E 
Invert the pairs to arrive at 6E44 
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Expert Sniffer's Method of Finding 
Duplicate DECnet Addresses 


¢ Since a DEC station is automatically assigned a new DLC address that is based on the 
station's network layer address, the Sniffer Analyzer cannot identify a duplicate 
network layer address problem by identifying two DLC stations being associated with 
the same network layer address (as it does for TCP/IP). 


¢ Instead the Sniffer looks for inconsistencies in the DEC EndNode Hello frames. 


¢ If Expert incorrectly identifies Duplicate DECnet addresses, try changing the 
Duplicate % threshold under Expert settings-Thresholds-Network station. 


Hello Hello 
from from 
17.110 17.110 
Time 
Hello Hello Hello Hello Hello Hello Hello 
from from from from from from from 
17.110 17.110 17.110 17.110 17.110 17.110 17.110 
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Network Services Protocol (NSP) 


NSP forms logical links between users. 


Within a logical link, there are two subchannels — one for 
data passed in from higher-layer protocols, one for interrupts 
and out-of-band signaling. 


Within each subchannel, messages (called “segments’’) are 
numbered sequentially. 


The receiving NSP module can acknowledge several 
segments at once by specifying the highest segment number 
received successfully. 


Various flow control methods are used to ensure the sender 
doesn’t send too many segments at once. 
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Data Access Protocol (DAP) 


DAP is a protocol used by two cooperating 
processes to define the exchange of data 


Operator (i.e. type of message) Operands (parameters) 


Configuration Message buffer sizes, operating system type, file system type, 
system capabilities 


Access Message file name 
type of access requested, (i.e. open, create, rename, 


erase, directory list) type of shared access to allow 


Attribute Message structure of the file 
returned in response to an Access message 


Control Message requests - mode of data transfer 
responses - data sent in blocks 
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DECnet Phase V 


e Based on OSI protocol stack 
e Supports 10 2snodes (uses OSI addressing) 
e DECnet Phase IV and Phase V networks can coexist 


¢ Routers exchange information on the state of adjacent links. 
This lays the groundwork for future sophisticated adaptive 
routing schemes. 


¢ DAP is replaced by Distributed File System, Local Area VAX 
Cluster (LAVC) protocols, and OSI FTAM standard 


¢ DECnet Phase V supports distributed naming services, 


X.400 electronic messaging, and Common Management 
Information Protocol (CMIP) 
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Exercise One (Ethernet) 


Objective: Use the Expert Sniffer Analyzer to troubleshoot a duplicate DECnet 
address. 


Background: The Expert Sniffer Analyzer looks at DECnet End-node Hello frames to 
identify duplicate DECnet addresses. 


1. Load the file C:\CAPTURE\TC102\DUPDEC.ENC. 


2. Press F3. Arrow down to the Network Stations layer. Press Enter to view the 
Network Station Diagnosis Summary. What is the diagnosis? 


3. Press F1 to explain the diagnosis. Read the explain screen. How does the method for 
finding duplicate DECnet addresses differ from the methods for finding duplicate IP 
addresses? 


4. Press Escape to escape from the explain screen. Press F2 to filter and display frames 
related to this problem. 


5. Explain why Expert Sniffer Analyzer flagged a duplicate network layer address 
condition. 
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Exercise Two (Ethernet) 


Objective: Determine why the file transfer from station 7.52 to station 7.45 of the file 
“LOG” is so slow. 


Background: Station 7.45 seems to be very slow reading files. 


1. Load and display the trace file C:\CAPTURE\TC102\DEC.ENC. Ignore the Expert 
diagnosis of Duplicate network address. (This is not a true duplicate.) 


2. Identify the DECnet addresses of the three routers on this network. (Hint: Routers send 
Router Hello messages to each other. At least one router will also send Hello messages 
to End Nodes.) 


3. Find the frame where 7.45 initiates an “Open existing file” request for the file: 
SYS$SPECIFIC:[DECNET]NETSERVER.LOG;32. (Hint: Search for text “Open 
existing file”. Look in the Detail window to verify the name of the file being opened.) 
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oN 
Exercise Two (continued) 


4. We will concentrate on the NSP layer. Set up a Display Protocol Filter to not 
show DAP. NSP will now be the highest layer in the Summary window. You 
can still see DAP in the Detail window. 


5. In frames 165, 166, and 167, station 7.52 starts sending data for the LOG file. Set 
your mark at frame 165 and turn on Relative Time. 


Scroll all the way to the right of the Summary window. What Data Segment 
Number (DSEG) does 7.52 send in 


frame 165? frame 166? frame 167? 


6. How much time elapses between the time 7.52 starts the transfer of segments 4, 
5, and 6 and the time that 7.45 acknowledges these segments? (Hint: a recipient 
can acknowledge multiple segments at a time. DACK=6 means “I’ve received all 
data segments through segment 6.” Be sure to scroll all the way to the right in the 
Summary window to see DACK.) 


7. How much time elapses between the time 7.52 starts the transfer of segments 7, 
8, and 9 and the time that 7.45 acknowledges these segments 
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Exercise Two (continued) 


8. Study the NSP layer in the Detail window of Frame 180. From the Link Service Flags, 
what does it seem that 7.45 is telling 7.52? (Hint: The Summary window helps here 
also. FC = OFF in the Summary window means Flow Control is off.) 


When does 7.45 reverse this command and allow data transfer to continue? 


9. Why did 7.45 get so far behind in acknowledging data segments 7, 8 and 9 from 7.52? 
Hint: What other types of frames is 7.45 processing? 


10. How would you fix this problem? 
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Exercise (Token Ring) 


Token Rin: 


/WAN bridge 


= 
Token Ring 
Bridge #8 


Token Ring 
Bridge #1 


~ Ethernet/Token 
Ring Bridge 


Token Ring 
Bridge #7 


DEC nodes 


Company ABC has installed Ethernet/Token Ring Bridges so 
that DEC nodes on remote Ethernet networks can 
communicate across the Token Ring network. 

What negative effects will this have on the Token Ring 
network? What would be some alternate configurations? 


Ethernet/Token 
Ring Bridge 


DEC nodes 
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Exercise (continued) 
OBJECTIVE: Determine what traffic could be eliminated on this Token Ring network. 


1. Load the Token Ring Network Analyzer. 
2. Load and display the trace file C:\CAPTURE\TC105\DECRING.TRC 


3. Identify the DEC traffic that will go to all Token Ring networks. (i.e. will LAT 
traffic go to all Token Ring networks? NSP? other DEC protocols?) 


4. What would be some alternate configurations to the one chosen on the previous page 
that would still allow the DEC nodes to communicate but not affect the Token Ring 
networks? 


5. On the Ethernet side, DECnet sends Router Hello messages to a destination multicast 
address of AB0000030000. This multicast address means send to all DEC routers. 
How does the Ethernet/Token Ring bridge translate this address into a Token Ring 
address? (i.e. what is the Token Ring destination address for Router Hello 
messages?) 
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Extra Credit Question 


6. Hexadecimal addresses are shown one nibble (1/2 byte) at a time on the Sniffer and on 
most debugging tools. 


A B 0 0 0 0 0 3 0 0 0 0 
1010 1011] 0000 0000} 0000 0000] 0000 0011 | 0000 0000 | 0000 0000 


An Ethernet/Token Ring bridge reverses the bits, one byte at a time. 


Using these hints, determine how the Ethernet address AB0000030000 for all DEC 
Routers gets translated to a Token Ring address. Fill in the boxes below, by reversing the 
bits and calculating the hexadecimal value of each nibble, as shown in the example 
above. (For an additional hint, see the binary-to-hex table on the next page.) 
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Binary to Hexadecimal Conversion 


Etheret and Token Ring Network Analysis & Troubleshooting — 6/94 Rev. 4.4T 


HEX TABLE 
0000 =0 

0001 =1 

0010 =2 

0011 =3 

0100 =4 

0101 =5 

0110 =6 

0111 =7 

1000 =8 
1001=9 

1010 =A or 10 
1011=Borl11 
1100 = C or 12 
1101 =D or 13 
1110 =E or 14 


1111 =F or 15 
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Thick/Thin Configuration 


Transceiver Connection BNC/DIX 


Big Blue 


Thin Net/CheaperNet/Thin Ethernet 


10Base2 
Transceiver 10BaseT 


Sniffer 


Connections 


7 . Sve 
Transceiver [°° 


10Base5 
Transceiver 


Thick Ethernet 


Suggested configuration is to use DIX Connector for 
use with 10Base5, 10Base2, or 10BaseT. 
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LAN Analysis Tools 


Expert Sniffer® Network Analyzer 


Foundation Manager™ 


_seaacencopn ensemonns 


[ssier | 
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O) 
Expert Sniffer Network Analyzer 


LAN Segment 


¢ Automatic identification of common network 
problems at all seven OSI layers in real-time 


° Top-down view of the network, providing a 
end-user perspective 


° Real-time configuration “learning” 


e Explanations that recommend solutions to 
problems 
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O) 
Sniffer Network Analyzer 


LAN Segment 


e Full 7-layer protocol analysis 

¢ Complete suite of network protocols 

e All popular network topologies 

e Local and wide area network connections 


e Advanced Monitoring: statistics, alarms and reports 
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@ 
LAN and WAN Connections 


Extending the benefits of network analysis to the wide area 


LAN Segment 


Bridge/Router 


° Full 7-layer protocol analysis on your WAN: 
— Enables improved applications performance 
— Leads to decreased monthly line costs 
— Consistent user interface eliminates additional user training 
— Dual LAN/WAN support minimizes customer investment 
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TeleSniffer 


¢ TeleSniffer software (DCA Remote) is 
included with every Sniffer to allow remote 
access to the analyzer via RS-232 media, 
either with a direct connection or modem 
interface. 


e Access may be gained using TeleSniffer 
Remote Software on most PC compatibles 
using popular modems. 
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UO) 
Distributed Sniffer System 


Sniffer Server 


San Francisco 
Sniffer Server 


sone rel Sniffer Server 
onsole caer 
Tokyo | 
Sniffer Server sini 
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SniffMaster Console 


¢ Provides simultaneous access to up to 30 Sniffer Servers 

¢ Consolidates alarm information from multiple Sniffer Servers 
¢ Downloads updates and new applications to Sniffer Servers 

¢ Provides centralized printer support 


¢ Both Ethernet and Token Ring Consoles are supported 


¢ The SniffMaster Console is available as a turn-key system or as 
a software-and-interface-board kit for use on any standard PC. 
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SniffMaster for X 


* Runs ona Sun SPARCstation with SunOS 4.1.x or later 
¢ Based on X-Window (X11.R4) and Motif Graphical User Interfaces (GUI) 
¢ Simultaneous views of multiple Sniffer Servers 


¢ Mouse and Icon control of Sniffer Servers 


* Consolidated alarm log, using a separate window called the Alarm Viewer 
¢ Support for SNMP Traps 


¢ Communicates with Sniffer Servers using TCP/IP 
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Sniffer Servers 
e Network interfaces for Ethernet, Token Ring and WAN. 


e Analysis and Monitoring Applications for problem solving 
and performance optimization. 


e Servers communicate with multiple SniffMaster Consoles. 


e Statistics, alarms, and protocol information are stored on the 
Server to minimize network traffic. 


e Servers communicate with consoles through bridged and 
routed networks 
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Sniffer and DSS Functional Differences 


— External triggers (COM1) | — Printing to LPT1 or LPT2 
— Audible clicks 


— Token Ring speed change 
through software switch 


— Printing to LPT1 or COM1 
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Filename Reference ; 


C:\ENSNIFF\STARTUP.END Names Table 
C:\ENSNIFF\STARTUP.ENT EtherTypes (Advanced 


Monitoring) 
C:\ENSNIFF\STARTUP.ENI Vendor Codes 
C:\ENSNIFF\DEFAULTS.ENS Network General Default Sniffer 
Setup 
C:\CAPTURE\STARTUP.ENS Customer Default Sniffer Setup 
[Your name] .ENC Trace (DATA) Files 
[Your name] .ENS Setup Files 
[Your name] .PRN or .CSV Print Files 
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Where to go from here... 


Below are some suggestions on what to do when you get back to your office 
to begin realizing additional benefits from your Sniffer Analyzer. 


Ethernet and Token Ring Network Analysis & Troubleshooting — 6/94 Rev. 4.4T Miscellaneous.- 14 


Establish a baseline for each mission-critical segment of your network. 
Use the Advanced Monitoring for at least one day (and up to one week) to 
collect some typical measurements. 


Take a live capture off of your network and study it. See what protocols 
you use and compare them with where they fit in with the protocol suites in 
the 7-layer model from your training binder or the Sniffer Network and 
Protocol Reference Manual, chapter 2. Learn more about these protocols 
by filtering on these protocols and examining typical packets. Consult 
Appendix B Bibliography from the same manual for some recommended 
text books. 


Update your Names Table. Perform a Look for Names in order to add 
names. Then document other stations. 


Make a back-up of your Sniffer software including the Names Table. 


Document your network today! 
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Recommended Reading Materials 
1. ANSI/IEEE, Carrier Sense Multiple Access with Collision Detection(CSMA/CD), IEEE Standard 802.3, 


Published by The Institute of Electrical=and Electronics Engineers, Distributed in cooperation with 
Wiley-Interscience, a division of John Wiley & Sons, 1985. (supplements also available) 


2. Apple Computer, Inc, AppleTalk Network System Overview, Addison-Wesley Publishing Company, 1989. 


3. Comer, Douglas E., Internetworking with TCP/IP: Volume I, 2nd edition, Prentice Hall, 1991. 


4. Malamud, Carl, Analyzing Novell Networks, Van Nostrand Reinhold, 1990. 


5. Malamud, Carl, DEC Networks and Architectures, McGraw-Hill, 1989. 


6. Miller, Mark A., Internetworking: a Guide to Network Communications LAN to LAN: LAN to WAN, 
M&T Books, 1991. 


7. Miller, Mark A., LAN Protocol Handbook, M&T Books, 1990. 


8. Miller, Mark A., LAN Troubleshooting Handbook, M&T Books, 1989. 


9. Nemzow, Martin, Keeping the Link: Ethernet Installation & Management, McGraw-Hill, 1988. 


10. Sidhu, Gursharan, Andrews, Richard, Oppenheimer, Alan B, Inside AppleTalk, 2nd Edition, Addison- 
Wesley Publishing Company, 1990. 
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How to Contact Network General 


¢ Technical Support Hotline 
(800) 395-3151 
FAX: 415-327-9436 
Internet: support@ngc.com 
CompuServe: type GO NETGENERAL at any ! prompt 


e SniffNet Bulletin Board 
(415) 327-4782 <300-14,400 bps, 8, N, 1 


¢ HAVE YOUR SERIAL NUMBER READY! 
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The IBM Cabling System 


Type 1 — Shielded data-grade cable with two solid twisted pair 22 AWG 
wires; available in indoor, outdoor, plenum and non-plenum 


Type 2 — Same as indoor Type 1 with the addition of four solid twisted pairs 
of telephone grade (26 AWG) wire added around the outside of the shield 


Type 3 — unshielded twisted pair “telephone wire” - 2,4 or 6 pair solid AWG 
#22 or #24 


Type 5 — 100/140 Fiber cable 
Type 6 — Data Grade wire of stranded shielded 26 AWG, used for “patch” cables 


Type 8 — 26 AWG shielded twisted-pair data grade wire for use under a carpet 


Type 9 — Low cost short distance 26 AWG shielded twisted-pair in a plenum 
jacket, used where stringent fire-codes apply 
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Cmd 
X'00' 
X'02' 
X'03' 
X'04' 
X'05' 
X'06' 
X'07' 
X'08' 
X'09' 
X'OB' 
X'0C' 
X'0OD' 
X'0E' 
X'0F' 
X'10' 
X'20' 
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Frame 

Response 

Beacon 

Claim Token 

Ring Purge 

Active Monitor Present 
Standby Monitor Present 
Duplicate Address Test 
Lobe Media Test 

Xmit Fwd (not in 802.5) 
Remove Station 
Change Parameters 
Initialize Station 
Request Station Address 
Request Station State 


Request Station Attachments 


Request Initialization 
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25 MAC Frames 


Description 

Acknowledge receipt of a MAC response 

Sent to report a serious ring problem 

Sent to re-establish an active monitor 

Sent by active monitor when token is lost or monitor contention completes 
Inform standby monitors of the active monitor's presence 

Sent by each standby monitor to identify itself 

Sent during attachment to assure no other station has same address 
Loop-back test sent before attachment to test lobe cable 

Sent by Config. Report Server to tell station to return a frame with specified data 
Sent by Config. Report Server to remove station from ring 

Sent by Config. Report Server to set ring operational values 

Sent by Parameter Server on response to station's Request Initialization frame 
Sent by Config. Report Server to request station's address 

Sent by Config. Report Server to request station's state 

Sent by Config. Report Server to request information on product 


Sent to Parameter Server to request parameters after attachment 
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25 MAC Frames (continued) 


Cmd_ Frame 

X'22' Report Station Address 
X'23' Report Station State 

X'24' Report Station Attachments 
X'25' Report New Active Monitor 
X'26' Report SUA Change 

X'27' Report Ring Poll Fail 

X'28' Report Active Monitor Error 
X'29' Report Soft Error 

X'2A' Report Xmit Fwd (ot in 802.5) 
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Description 
Response to X'0E' 


Response to X'0F' 

Response to X'10' 

Sent to Config. Report Server to report station has become active monitor 
Sent to Config. Report Server when new upstream neighbor detected 

Sent by Active Monitor to Error Monitor when Neighbor Notification fails 
Sent by Active Monitor to Error Monitor if another Active Monitor is detected 
Sent to Error Monitor to report soft error 


Response to X'09' 
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Debugging Token Ring Problems 
By Using MAC Frames 


Token Ring not only provides a network for transporting user data, 
but it also provides information about the status of the network. 
This information is contained in Medium Access Control (MAC) 
frames, which are generated automatically by the network adapter 
without any intervention from the host computer. Normal data 
frames sent by the host are called Logical Link Control (LLC) 
frames. 


By understanding the various types of MAC frames and the 
information they contain a network manager can easily find and fix 
problems in a token ring. 


In a normal ring one station will be the "active monitor.” The active 
monitor is responsible for ring timing, and confirming that a token 
or good frame is detected every 10 ms. The active monitor also 
issues an Active Monitor Present MAC frame every 7 seconds. The 
process of determining the active monitor is called monitor 
contention, and is started with a Claim Token MAC frame. 
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Debugging Token Ring Problems By Using 
MAC Frames 


Continued 
¢ Ring Purge MAC Frames 


Ring Purge MAC frames are sent by the active monitor when it 
detects that a token has been lost. A lost token is usually the result 
of a station entering or leaving the ring, or some other physical 
configuration change in the ring. When the active monitor receives 
its Ring Purge, it issues a free token and the ring returns to normal. 


If the active monitor does not receive its Ring Purge MAC frame 
within one second, it issues a Claim Token MAC frame and goes 
into monitor contention. 
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Debugging Token Ring Problems By Using 
MAC Frames 


Continued 


¢ Claim Token MAC Frames 


The Claim Token MAC frame indicates that the ring has entered 
monitor contention. This is the bid process to select a new active 
monitor for the ring. If monitor contention completes successfully 
the station with the highest address becomes the active monitor. If 
no station becomes the active monitor within one second the ring 
goes into "beaconing". 
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Debugging Token Ring Problems By Using 
MAC Frames 


Continued 
¢ Beacon MAC Frames 


The Beacon MAC frame indicates that there is a problem in the 
token ring that makes the ring inoperable. A ring can be 
"beaconing" due to a physical break in the ring (signal loss), or a 
timeout during monitor contention. Although a "beaconing" ring is 
inoperable, the information contained in the Beacon MAC frame is 
usually enough to help the network manager put the ring back into 
operation. 


If the station sending the Beacon MAC frames receives its Beacon 
MAC frame it will stop "beaconing" and go into monitor contention 
to place the ring back into normal operation. 


If the problem persists for 16 seconds, the beaconing station will 
remove itself from the ring and do a self test. If the self test is ok 
the station will reinsert into the ring and resume beaconing; 
otherwise it will assume that it is the cause of the problem and stay 
out of the ring. 
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Debugging Token Ring Problems By 


Using MAC Frames 


Continued 


The Beacon MAC frame has the following three fields that are 
useful for repairing the ring: the address of the station that detected 
the failure (the source address of the Beacon frame), the last Nearest 
Active Upstream Neighbor (NAUN) of the station that detected the 
fault, and the beacon type. 


By using the two station addresses in the frame, the "fault domain" 
can be determined. If the Beacon Type is Signal loss error 
(0x0002), then the most likely problem is a cable break between the 
NAUN and the source station of the Beacon MAC frame. Check the 
cabling between the two stations to find the fault. If it is difficult to 
check the cabling or there is a need to restore the ring quickly, 
bypass the ring between the two stations. 


The other two Beacon Types: Streaming Signal, not Claim Token 
(0x0003) and Streaming Signal, Claim Token (Ox0004) indicate 
that the cabling is not the problem. The problem is most likely 
either a malfunctioning adapter, or a station that has inserted into the 
ring at the wrong speed. Check the two stations listed in the Beacon 


MAC frame and any intervening devices (i.e. repeaters). O 
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Debugging Token Ring Problems By Using 
MAC Frames 


Continued 
¢ Report Soft Error MAC Frames 


Each adapter counts and reports soft errors which occur during normal 
operation. When the adapter detects a soft error, it increments the 
appropriate soft error counter and starts the soft error timer. When the soft 
error timer expires, a Soft Error MAC frame is transmitted by the adapter 
and the soft error counters are reset to zero. The default value for the soft 
error timer is two seconds. By delaying the reporting of a soft error the 
station can collect multiple error counts into one frame during periods of 
high numbers of errors, thus avoiding additional network traffic. 


When looking for the cause of a soft error, it is important to remember that 
the soft error frame is delayed at least two seconds after the event that caused 
the error. So when looking for the cause of a soft error, use the relative time 
in the trace display to find the network activity two seconds before the Soft 
Error MAC frame. 
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Debugging Token Ring Problems By Using 


MAC Frames 


Continued 


¢ Report Soft Error MAC Frames 


When looking at the Soft Error MAC frame, typically all of the counters 
except for one will be zero, and the counter of interest will be the non-zero 
counter. 


The error counters in the Soft Error MAC frame are divided into two groups: 
isolating error counters, and non-isolating error counters. 


The isolating error counters isolate errors to two stations, and any cabling or 
equipment between the two stations. The address of the stations are the source 
address for the frame and the NAUN address included in the frame. These 
errors are only counted by the first adapter detecting the error. 


The non-isolating error counters count errors that could have been caused by 
any other adapter on the ring. However, only the detecting adapter counts the 
error. 


The isolating error counters include: Line errors, Internal errors, Burst errors, 
AC errors, and Abort delimiters transmitted. 
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Debugging Token Ring Problems By Using 
MAC Frames 


Continued 
e Report Soft Error MAC Frames 


The non-isolating error counters include: Lost frame, Receive congestion, 
FC error, Frequency error, and Token error. 


A Lost frame error indicates that a station transmitting a frame failed to 
receive the frame. Because the frame has been lost, the station will not issue 
a token causing the active monitor to issue a new token. 


A Receive congestion indicates that the station was unable to receive a 
frame because of lack of buffer space. 


An FC copied error indicates that there might be a duplicate address on the 
ring or that there was a data error on the ring. 


A Frequency error indicates that the receive signal is off frequency. If this 
occurs often check the active monitor. 


A Token error indicates that the token has been lost. This error is generated 
only by the active monitor when it recognizes the need to create a new token. 
If this error occurs there could be Soft Error MAC frames from other stations 
indicating either Line errors, Burst errors or Lost frame errors 


©) 
Network 
General 


Ethernet and Token Ring Network Analysis & Troubleshooting - 6/94 Rev. 4.4T 


383 


Ethernet and Token Ring Network Analysis & Troubleshooting — 6/94 Rev. 4.4T 


. . © Copyright 1990 - 1994 Network General Corporation. All rights reserved. 
University [ 


Debugging Token Ring Problems By Using 


MAC Frames 


Continued 
¢ Report Soft Error MAC Frames 


A Line error indicates that there was an invalid character in a frame or token or that 
there was a checksum error in a frame. If these errors are infrequent then they are 
most likely caused by a reconfiguration of the ring. If they are happening often, then 
there could be a problem with the NAUN. 


An Internal error indicates that the station had a recoverable internal error. If a 
station is reporting multiple internal errors it is an indication that the station is 
marginal. 

A Burst error indicates that there was a signaling error in the cable. Burst errors 
typically occur when a station either enters or leaves the ring. If they occur at any 
other time it is an indication that there is a problem with the cabling. 


An AC error indicates that the NAUN was unable to set the Address Recognized 
and Frame Copied bits in an Active Monitor Present or Standby Monitor frame it has 
copied. 

An Abort delimiter transmitted error indicates that there was a problem with the 


reporting station. If this occurs frequently, check the adapter on the reporting 
station. Niceaearls 
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Debugging Token Ring Problems By Using 


MAC Frames 
Continued | 


eRing Reconfiguration 


Ring reconfiguration can be caused by a station either entering or leaving 
the ring, or by cabling changes. Normally ring reconfigurations will 
cause one or more Soft Error MAC frames. If the reconfiguration was 
caused by a station entering or leaving the ring, the trace will contain one 
or more Report Stored Upstream Address (SUA) Change MAC frames 
about two seconds before the Soft Error MAC frames. 
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Debugging Token Ring Problems By Using 
MAC Frames 


Continued 
e Station Entering the Ring 


When a station enters the ring, the following MAC frames are 
normally seen: Ring Purge, one or two Duplicate Address Tests, 
Report SUA Change, and four Request Initialization frames. If 
there was a Ring Purge, then two seconds later there will be a 
Report Soft Error when the Active Monitor reports that it had to 
regenerate the token. 
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Debugging Token Ring Problems By Using 
MAC Frames 


Continued 


¢ In the example below, station 0000A6E00022 inserted into 
the ring just upstream from station 10005A3A9FF3. 


Delta 

Time Dest Source Frame type 

0.000 Broadcast <- 10005A3A9FF3 MAC Ring Purge 

0.001 0000A6E00022 <- 0000A6E00022 MAC Duplicate address test 
0.003 0000A6E00022 < 0000A6E00022 MAC Duplicate Address Test 
0.119 Config Srv <- 0000A6E00022 MAC Report SUA Change 
0.139 Config Srv <- 10005A3A9FF3 MAC Report SUA Change 
0.140 Param Server <- 0000A6E00022 MAC Request Initialization 
0.141 Param Server <- 0000A6E00022 MAC Request Initialization 
0.142 Param Server <- 0000A6E00022 MAC Request Initialization 
0.143 Param Server <- 0000A6E00022 MAC Request Initialization 
2.171 Error Mon <- 10005A3 A9FF3 MAC Report Soft Error 
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Debugging Token Ring Problems By Using 
MAC Frames 


Continued 
e Station Leaving the Ring 


When a station leaves the ring the following MAC frames are normally 
seen: Ring Purge, Report SUA Change, and if there was a Ring Purge, a 
Report Soft Error occurs two seconds later. 


¢ In the example below the station just upstream from 
10005A3A 9FFS3 left the ring. 


DeltaTime Dest Source Frame type 

0.000 Broadcast <- 10005A3A9FF3 MAC Ring Purge 

0.139 Config Srv <- 10005A3A9FF3 MAC Report SUA Change 
2.180 Error Mon <- 10005A3A9FF3 MAC Report Soft Error 
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The Neighbor Notification (Ring Poll) Process 


The Ring Poll Starts Every Seven Seconds 


#1: - capture free token #6; - note that FS bits in SMP frame 

- start ring poll by issuing MAC AMP are 00, therefore B is NAUN 
frame: source is this AM’s - set FS bits to 11 
MAC address, destination is broadcast - bit-repeat SMP frame 

- set FS bits (Address Recognized & 
Frame Copied) of AMP frame to 00 

- Note: AM’s NAUN (node C) is not 
necessarily valid until end of first 
ring poll 


#7; - set monitor bit to 1 
- bit-repeat SMP frame 


#8: - note that FS bits are set to 11 

- remove originated frame from 
ring 

- issue free token 


#2: - note that ring poll has started 
- note that FS bits (AR & FC) in 
AMP frame are 00, therefore 
Ais NAUN and AM 
- set FS bits to 11 
- bit-repeat AMP frame 


Active Monitor 


#1, 4,7, 10, 13 


Standby Monitor 
#3, 6, 9, 12 


#9: - capture free token 
- issue SMP frame: source is this 
SMP’s MAC address, 
destination is broadcast 


#3: - note that ring poll has started - set FS bits to 00 


- bit-repeat AMP frame #10: - note that FS bits in SMP frame 


are 00, therefore C is NAUN 
- set FS bits to 11 
- set monitor bit to 1 
- bit-repeat SMP frame 


#4: - note that FS bits are set to 11 in 
AMP frame, therefore address 
recognized and frame copied by 
destination 

- remove originated frame from ring 
- issue free token 


Standby Monitor 


#2, 5, 8,11 #11: - bit-repeat SMP frame 


#12: - note that FS bits are set to 11 
- remove originated frame from ring 
- issue free token 


#5: - capture free token 
- issue MAC SMP frame: source is 
this SMP’s MAC address, 
destination is broadcast 
- set FS bits to 00 #13: - ring poll is complete 


Note: All MAC frames contain the NAUN’s MAC address for troubleshooting 
purposes. Each node has up to 20 milliseconds to queue its neighbor notification 
frame. Once its tum arrives, the station can output LLC or MAC frames during 
that timeframe. 
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Source Routing 
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Samples of Source Route Names 


TEEE 

All Routes Explorer 
Spanning Tree Explorer 
Specifically Routed frame 


IBM 

All Routes Broadcast 
Single Route Broadcast 
Non - Broadcast 


Cisco 
All Rings Explorer 
Spanning Explorer 


Wellfleet 

All Paths Explorer 
Spanning Tree Broadcast 
Specifically Routed frame 
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NetBIOS 
Appendix 


Network 


General 
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NetBIOS Name Management Frames 


Hex 
Command Value Function 


Add_Name_Query Check for duplicate name on network 
(Defaults to being sent out 6 times at 1/2 
second intervals.)* 


Check for duplicate group name on network* 


Add_Group_Name_Query 


Add_Name_Response Negative response: add name is duplicate 


Name_In_Conflict Duplicate names detected 


* “No news is good news” — No response means name is unique 
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NetBIOS Session Setup and 


© Copyright 1990 - 1994 Network General Corporation. All rights reserved. 


Termination Frames 


Hex 
Command aliie 


Name_Query 
Name_Recognized 
Session_Initialize 
Session_Confirm 
Session_Alive 


Session_End 
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Function 


Locate a name on the network 


Name recognized: Name_Query response 


A session has been set-up 


Session_Initialize acknowledgment 


Verify session is still alive 


Session termination 
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NetBIOS Data Transfer Frames 


Hex 
Command Value Function 


Data_Ack Acknowledgement to Data_Only_Last 
Data_First_Middle Session data message - first or middle frame 
Datagram Application-generated datagram 


Datagram_Broadcast Application-generated broadcast datagram 


Data_Only_Last Session data message - only or last frame 


No_Receive No receive command to hold received data 
Receive_Continue Indicates receive outstanding 


Receive_Outstanding Re-transmit last data - receive command up 
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NetBIOS Additional Frames 


Hex , 
Command Value Function 


Status_Query Request remote node status 
Status_Response Remote node status information 


Terminate_Trace_1 Terminate traces at remote nodes 


Terminate_Trace_2 Terminate traces at local and remote nodes 
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NetBIOS Additional Frames 


Hex 
Command Value Function 


Status_Query Request remote node status 
Status_Response Remote node status information 
Terminate_Trace_1 Terminate traces at remote nodes 


Terminate_Trace_2 Terminate traces at local and remote nodes 
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